Adding MachineKey To Web.config On Web-farm Sites / Padding Is Invalid And Cannot Be Removed

Oct 4, 2010

We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:

CryptographicException

Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

Can I generate a machineKey via a tool on the server, or do I need to write code to do this?

Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)

View 2 Replies


Similar Messages:

Security :: Getting Error/Padding Is Invalid And Cannot Be Removed.

Jan 15, 2010

I have all application errors sent to my email. I keep getting this:

mysite.com/webresource.axd?d=yacsx7hz0irzn_i7ifr3morrek9u6srdkqxsjvpn3mw1&t=633598204507656250
Padding is invalid and cannot be removed.

[Exception Info]

Stack Trace: at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
[code]....

i googled and read to add machineKey in my web.config <system.web> which i did:
<machineKey validationKey='0EFA95136AEA44850D5CEDDF0CC7502B1A009.....' decryptionKey='E88EB13ADB2C3D395193AA71DBB1E...' validation='SHA1'/>

and added
<pages masterPageFile enableViewStateMac="true" viewStateEncryptionMode="Auto"> to my masterpage.But i keep getting that error.

View 2 Replies

Security :: Padding Is Invalid And Cannot Be Removed/unable To Solve It?

Feb 23, 2010

Following is the error log captured:-

The error description is as follows :
Source: mscorlib

Message: Padding is invalid and cannot be removed.
Stack Trace:at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)

[code]....
This issue is occuring on and off and I am unable to reproduce it at my end.

View 5 Replies

C# - What Else Can Cause 'Padding Is Invalid And Cannot Be Removed" Exception With WebResource.axd

May 7, 2010

Recently, a couple of my applications have started throwing exceptions with the message Padding is invalid and cannot be removed intermitently

My applications already have a machineKey specified in the web.config as suggested in this thread

The applications are deployed to a single Windows 2003 server running IIS6.

View 1 Replies

Security :: Riijandael Method Error/ Padding Is Invalid And Cannot Be Removed

Apr 15, 2010

I am using following code to encrypt and decrypt files. It works fine in windows application but shows an error in asp.net class. It's using Riijandael method.


Error : padding is invalid and cannot be removed

Code:Public Sub EncryptOrDecryptFile(ByVal strInputFile As String, _
ByVal strOutputFile As String, _
) [code]....

View 5 Replies

Change The User Password While Retrieving Current Password Error - Padding Is Invalid And Cannot Be Removed

Dec 10, 2010

I'm using the ChangePassword method of membership provider to change the password and one of the requirement before calling the ChangePassword is to retrieve the current password. But I'm getting error:

padding is invalid and cannot be removed

below is my web.config:

[code]....

View 1 Replies

C# - "Padding Is Invalid And Cannot Be Removed." Error With A Twist?

Sep 15, 2010

I'm getting the following error in our QA environment but only through the IIS7 reverse proxy. If I hit the application server directly it works fine. In our DEV environment it works fine through the proxy or directly.

I'm not really sure where to go with this,
Server Error in '/' Application.

Padding is invalid and cannot be removed.

Description: An unhandled exception occurred during the execution of the current web request.

Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.

Source Error:An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:[CryptographicException: Padding is invalid and cannot be removed.]
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset,
[code]....
Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4927

View 1 Replies

C# - Exception Is Like The Padding Is Invalid And Cannot Be Removed Exception?

Jul 12, 2010

We're getting this InternalSubStringWithChecks exception with our application's healthMonitoring. This exception is like the Padding is invalid and cannot be removed exception where it's being recorded and we're getting a notification email but the end user is unaware that an actual error has happened. Though we don't want our event log filled up with this rubbish! The stack trace is:

Parameter name: length
at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest
[code]...

View 1 Replies

Namespace Removed In Web.config Not Removed In A Page With Master?

Sep 12, 2010

I have defined this in the web.config of a subdirectory

<namespaces>
<remove namespace="App"/>
<add namespace="Tom"/>
</namespaces>

App is imported in the parent web.config file, Tom and App have classes with the same names.To avoid errors resulting from ambiguous class names I removed the App namespace from the sub-directory where the Tom namespace is used.

However the namespace App is still imported on content pages that have a master page outside the Tom directory. This causes the aforementioned errors.Here is my dir structure

-Root Directory
--Default.master
--web.config (App is added in web.config)
--Tom Sub-diretory
---web.config (App is removed in web.config)
---Content page that uses Default.master (Here is the problem)
---Page without master (Works OK)

View 2 Replies

Invalid Padding On 2.0 Cookie, MVC Looks Ok?

Apr 5, 2010

We have a cookie management library that writes a cookie containing some sensitive information, encrypted with Rijndael. The cookie encrypts and decrypts fine in unit tests (using Moq), works fine for MVC web applications, but when called from an ASP.net 2.0 website, the cookie cannot be decrypted. "Padding is invalid and cannot be removed."

We are sure that the cookie value is valid because we tested it 10,000 times with random data in a unit test. There is something about what ASP.NET 2.0 does when it reads and writes the cookie that causes trouble.

View 1 Replies

MachineKey Config Section Default Location?

Sep 21, 2010

Where do I find the machineKey config section for ASP.NET?

I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.

Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)

Having read this: [URL]

i was expecting to find something like this, somewhere:

<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>

Edit: the 1.1 docs seem fairly clear wrt default values: [URL] but the 4 docs are rather ambiguous [URL]

View 1 Replies

Setup Identical <machinekey /> Sections On Each Servers .config File?

Mar 2, 2010

We have a scenario using asp.net Forms Authentication in a web farm and need to setup identical <machinekey /> sections on each servers .config file.

Is it better to store the <machinekey /> section in machine.config rather then web.config? what's the advantages and disadvantages of each approach concerning security?

<machineKey validationKey="[keyhere]"
decryptionKey="[keyhere]" validation="SHA1" />

If its not secure enough, is there any way to encrypt <machinekey /> section like we encrypt our connectionsstring (with DPAPI)? (http://msdn.microsoft.com/en-us/library/ms998280.aspx)

View 1 Replies

Invalid Viewstate Since Oracle Padding Vulnerability Security Patch

Sep 29, 2010

Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.

The errors logged on the server are

System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl

With custom errors switched off a user sees the following information

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: [ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90

to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.

View 3 Replies

What Changes Are Required In Web.config File To Configure Web Farm

Jul 6, 2010

What changes are required in web.config file to configure Web Farm ?

View 1 Replies

Creating Custom Httphandler In Web.config: Am I At Risk Of Exposing A 'Padding Oracle' Vulnerability?

Oct 29, 2010

Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?

Asked in another way... what did MSFT do wrong and what did they fix in their handlers?

View 2 Replies

Configuration :: Web.config Transformations For 3.5 Web Sites?

Jan 27, 2011

I found an article which explains how to perform a Web.config transformation on an ASP.Net 4.0 Web Site, but all of my web sites are still running ASP.Net 3.5.[URL]

View 1 Replies

Run Asp.net 3.5 Sites On Asp.net 4.0 Without Changing Codeweb.config

Dec 7, 2010

run asp.net 3.5 sites on asp.net 4.0 without changing codeweb.config. Is it possible?

View 3 Replies

MVC :: Adding New Controller To Online Sites?

Jan 27, 2011

In webform one could add pages to his website simply by adding them to the correct directory in the virtual directory.

In MVC however you need to write new controlls is that mean i should "recompile" the whole site all over again?

My site is alreay online and i dont wont to go off line to add additional feature.

View 6 Replies

Why Can't The "Server" Response Header Be Removed Via Web.config In IIS7

Sep 9, 2010

[URL]I know how to remove the Server response header with an HTTP Module based on the link above. I just want to know why it is necessary to remove it this way.

View 3 Replies

Unable To Open Certain Sites From Internet Explorer 7.it Is Showing All Sites As Restricted?

Aug 17, 2010

i m not able to open certain sites from internet explorer 7.it is showing all sites as restricted .

View 12 Replies

Web Forms :: Getting Error While Adding New Control On Page - Invalid Argument

Aug 26, 2010

I am getting this wired error when I try to add another control on my user control. Is there a limitaion on how many controls we can have on a single user control?

View 1 Replies

How To Develop Web Parts That Can Be Used In Our ASP.NET Sites And Our SharePoint Sites

Jul 16, 2010

I am interested in developing Web Parts that can be used in our ASP.NET sites
and our SharePoint sites. An example Web Part I have in mind is a Post Code (Zip Code) look up.- Visual Studio 2010 Premium- SharePoint Designer 2007- Windows 2003 Server (therefore WSS 3.0)- No SharePoint Server

View 2 Replies

Forms Data Controls :: Add Multiple Columns In A Datalist , Without Adding Invalid Html Code?

Jun 27, 2010

I have the following code the form of a datalist,

<asp:DataList ID="DataList1" runat="server" BorderColor="black" CellPadding="3" Font-Names="Verdana"
Font-Size="8pt">

[code]...

View 5 Replies

Web Forms :: Machinekey With Explicit Validationkey?

Dec 2, 2010

I had "Invalid viewstate" error in my application; I found out it's caused by worker process recycling, so I generated a <machinekey> section with explicit validationkey. refer to this link,[URL] My quesitons are 1. I have the application installed on dev, qa, stg and prd servers. Should I use the machinekey with the same(or different) validationkey for all the servers? I think it shouldn't be matter because the servers are independent from each other.

2. Where should I put the <machinekey> section, machine.config or individual application level's web.config? There are multiple applications on the server.

If I put it at the application level, does that mean other applications still may have the same "Invalid viewstate" error?

If I put it at the application level, should I add the <machinekey> section for all the other applications using the same validationkey?

View 1 Replies

.net - Leveraging MachineKey For Encrypting Own Data?

Sep 10, 2010

I have some data I want to encrypt in an ASP.NET MVC application to prevent users from tampering with it. I can use the Cryptography classes to do the actual encryption/decryption, no problem there. The main problem is figuring out where to store the encryption key and managing changes to it.

Since ASP.NET already maintains a machineKey for various things (ViewData encryption, etc), I was wondering if there were any ASP.NET functions which let me encrypt/decrypt my own data using the machineKey? This way I would not have to devise my own key management system.

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved