Unable to validate data error with machine key set to SHA1
Asked Answered
J

2

7

I have a simple .net application using the .NET 2.0 runtime in IIS 7.5 where I've changed the machine key in the web.config to use the following:

  <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>

This works fine locally, but when I publish to the server I get an "HttpException (0x80004005): Unable to validate data" whenever browsing the site. I've made sure to set compilation debug="false". Setting the validation method to 3DES eliminates this issue, but we have a requirement to work with SHA1. Is there some configuration option I'm missing here? see the stack trace below.

[HttpException (0x80004005): Unable to validate data.]
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData) +1008
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) +91
   System.Web.UI.Page.EncryptStringWithIV(String s, IVType ivType) +83
   System.Web.UI.Page.EncryptString(String s) +30
   System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1497
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1148
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +152
   System.Web.Handlers.ScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +37
   System.Web.UI.ScriptManager.GetScriptResourceUrl(String resourceName, Assembly assembly) +105
   System.Web.UI.ScriptRegistrationManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +113
   System.Web.UI.ScriptManager.System.Web.UI.IScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +14
   System.Web.UI.ClientScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +53
   System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e, Boolean registerScript) +113
   System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e) +25
   System.Web.UI.Control.PreRenderRecursiveInternal() +80
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Control.PreRenderRecursiveInternal() +171
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +842

Jeffrey answered 16/10, 2013 at 14:56 Comment(0)
J
3

I found that when the local security policy for "System crytography:use fips compliant algorithms for encryption, hashing, and signing"(Security Settings >> local policies >> securityOptions) is set to true, Sha1 will not function, which is the reason why I'm getting the error in this case.

Jeffrey answered 16/10, 2013 at 17:42 Comment(2)
where I can see this option ? - Security Settings >> local policies >> securityOptionsOwl
I know this is old, but thought I would put in a note...this setting is found in the group policy editor (gpedit.msc) under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. You have to iisreset after changing it. Thanks!Communicable
U
5

Are you running the application in an truly .NET 2.0 app-pool? (I am asking because you are using IIS 7.5).

If not, bear in mind that there has been a change in the encryption algorithms in the .NET 4.5 framework.

If you need to be compatible with the < .NET 4.5 Framework you will need a compatibility tag:

<machineKey compatibilityMode="Framework20SP1" />  

See http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx or http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx for details.

Unconcerned answered 16/10, 2013 at 15:29 Comment(3)
Yes the app pool for my site is set to use .NET 2.0Jeffrey
You could still try the compatibility tag, if it doesn't work, I'm afraid I'm blank here. Sorry about that... :|Unconcerned
Okay I tried putting the compatibilityMode tag in the machinekey section as suggested, but still receive the same error :(Jeffrey
J
3

I found that when the local security policy for "System crytography:use fips compliant algorithms for encryption, hashing, and signing"(Security Settings >> local policies >> securityOptions) is set to true, Sha1 will not function, which is the reason why I'm getting the error in this case.

Jeffrey answered 16/10, 2013 at 17:42 Comment(2)
where I can see this option ? - Security Settings >> local policies >> securityOptionsOwl
I know this is old, but thought I would put in a note...this setting is found in the group policy editor (gpedit.msc) under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. You have to iisreset after changing it. Thanks!Communicable

© 2022 - 2024 — McMap. All rights reserved.