Unable to validate data error with machine key set to SHA1

Ben picture Ben · Oct 16, 2013 · Viewed 7.8k times · Source

I have a simple .net application using the .NET 2.0 runtime in IIS 7.5 where I've changed the machine key in the web.config to use the following:

  <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>

This works fine locally, but when I publish to the server I get an "HttpException (0x80004005): Unable to validate data" whenever browsing the site. I've made sure to set compilation debug="false". Setting the validation method to 3DES eliminates this issue, but we have a requirement to work with SHA1. Is there some configuration option I'm missing here? see the stack trace below.

[HttpException (0x80004005): Unable to validate data.]
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData) +1008
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) +91
   System.Web.UI.Page.EncryptStringWithIV(String s, IVType ivType) +83
   System.Web.UI.Page.EncryptString(String s) +30
   System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1497
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1148
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +152
   System.Web.Handlers.ScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +37
   System.Web.UI.ScriptManager.GetScriptResourceUrl(String resourceName, Assembly assembly) +105
   System.Web.UI.ScriptRegistrationManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +113
   System.Web.UI.ScriptManager.System.Web.UI.IScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +14
   System.Web.UI.ClientScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +53
   System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e, Boolean registerScript) +113
   System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e) +25
   System.Web.UI.Control.PreRenderRecursiveInternal() +80
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +842

Answer

Stefan picture Stefan · Oct 16, 2013

Are you running the application in an truly .NET 2.0 app-pool? (I am asking because you are using IIS 7.5).

If not, bear in mind that there has been a change in the encryption algorithms in the .NET 4.5 framework.

If you need to be compatible with the < .NET 4.5 Framework you will need a compatibility tag:

<machineKey compatibilityMode="Framework20SP1" />  

See http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx or http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx for details.