Adding MachineKey To Web.config On Web-farm Sites / Padding Is Invalid And Cannot Be Removed
Oct 4, 2010
We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:
CryptographicException
Padding is invalid and cannot be removed.
When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:
Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)
I have all application errors sent to my email. I keep getting this:
mysite.com/webresource.axd?d=yacsx7hz0irzn_i7ifr3morrek9u6srdkqxsjvpn3mw1&t=633598204507656250 Padding is invalid and cannot be removed.
[Exception Info]
Stack Trace: at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() [code]....
i googled and read to add machineKey in my web.config <system.web> which i did: <machineKey validationKey='0EFA95136AEA44850D5CEDDF0CC7502B1A009.....' decryptionKey='E88EB13ADB2C3D395193AA71DBB1E...' validation='SHA1'/>
and added <pages masterPageFile enableViewStateMac="true" viewStateEncryptionMode="Auto"> to my masterpage.But i keep getting that error.
I am using following code to encrypt and decrypt files. It works fine in windows application but shows an error in asp.net class. It's using Riijandael method.
Error : padding is invalid and cannot be removed
Code:Public Sub EncryptOrDecryptFile(ByVal strInputFile As String, _ ByVal strOutputFile As String, _ ) [code]....
I'm using the ChangePassword method of membership provider to change the password and one of the requirement before calling the ChangePassword is to retrieve the current password. But I'm getting error:
I'm getting the following error in our QA environment but only through the IIS7 reverse proxy. If I hit the application server directly it works fine. In our DEV environment it works fine through the proxy or directly.
I'm not really sure where to go with this, Server Error in '/' Application.
Padding is invalid and cannot be removed.
Description: An unhandled exception occurred during the execution of the current web request.
Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
Source Error:An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:[CryptographicException: Padding is invalid and cannot be removed.] System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, [code].... Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4927
We're getting this InternalSubStringWithChecks exception with our application's healthMonitoring. This exception is like the Padding is invalid and cannot be removed exception where it's being recorded and we're getting a notification email but the end user is unaware that an actual error has happened. Though we don't want our event log filled up with this rubbish! The stack trace is:
Parameter name: length at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest [code]...
App is imported in the parent web.config file, Tom and App have classes with the same names.To avoid errors resulting from ambiguous class names I removed the App namespace from the sub-directory where the Tom namespace is used.
However the namespace App is still imported on content pages that have a master page outside the Tom directory. This causes the aforementioned errors.Here is my dir structure
-Root Directory --Default.master --web.config (App is added in web.config) --Tom Sub-diretory ---web.config (App is removed in web.config) ---Content page that uses Default.master (Here is the problem) ---Page without master (Works OK)
We have a cookie management library that writes a cookie containing some sensitive information, encrypted with Rijndael. The cookie encrypts and decrypts fine in unit tests (using Moq), works fine for MVC web applications, but when called from an ASP.net 2.0 website, the cookie cannot be decrypted. "Padding is invalid and cannot be removed."
We are sure that the cookie value is valid because we tested it 10,000 times with random data in a unit test. There is something about what ASP.NET 2.0 does when it reads and writes the cookie that causes trouble.
We have a scenario using asp.net Forms Authentication in a web farm and need to setup identical <machinekey /> sections on each servers .config file.
Is it better to store the <machinekey /> section in machine.config rather then web.config? what's the advantages and disadvantages of each approach concerning security?
If its not secure enough, is there any way to encrypt <machinekey /> section like we encrypt our connectionsstring (with DPAPI)? (http://msdn.microsoft.com/en-us/library/ms998280.aspx)
Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
I found an article which explains how to perform a Web.config transformation on an ASP.Net 4.0 Web Site, but all of my web sites are still running ASP.Net 3.5.[URL]
[URL]I know how to remove the Server response header with an HTTP Module based on the link above. I just want to know why it is necessary to remove it this way.
I am getting this wired error when I try to add another control on my user control. Is there a limitaion on how many controls we can have on a single user control?
I am interested in developing Web Parts that can be used in our ASP.NET sites and our SharePoint sites. An example Web Part I have in mind is a Post Code (Zip Code) look up.- Visual Studio 2010 Premium- SharePoint Designer 2007- Windows 2003 Server (therefore WSS 3.0)- No SharePoint Server
I had "Invalid viewstate" error in my application; I found out it's caused by worker process recycling, so I generated a <machinekey> section with explicit validationkey. refer to this link,[URL] My quesitons are 1. I have the application installed on dev, qa, stg and prd servers. Should I use the machinekey with the same(or different) validationkey for all the servers? I think it shouldn't be matter because the servers are independent from each other.
2. Where should I put the <machinekey> section, machine.config or individual application level's web.config? There are multiple applications on the server.
If I put it at the application level, does that mean other applications still may have the same "Invalid viewstate" error?
If I put it at the application level, should I add the <machinekey> section for all the other applications using the same validationkey?
I have some data I want to encrypt in an ASP.NET MVC application to prevent users from tampering with it. I can use the Cryptography classes to do the actual encryption/decryption, no problem there. The main problem is figuring out where to store the encryption key and managing changes to it.
Since ASP.NET already maintains a machineKey for various things (ViewData encryption, etc), I was wondering if there were any ASP.NET functions which let me encrypt/decrypt my own data using the machineKey? This way I would not have to devise my own key management system.