IsolateApps causes Decryption key specified has invalid hex characters

Asked 21/2, 2013 at 13:3 Answered 1/11, 2016 at 21:32

Solved asp.net-mvc encryption machinekey

I working on a MVC 4 site which has uses Authentication. The site requires that I specify the Machine Key values. I did this via the IIS interface having deselected the "automatically generate at runtime", generated the key values and having selected "generate a unique key for each application"

The web.config entry looks something like this:

<machineKey decryption="DES" decryptionKey="{hex-key value},IsolateApps" 
    validationKey="{hex-key value},IsolateApps" />;

While this seems to work fine on another web project it causes the "Decryption key specified has invalid hex characters" error on the dev machine I am working on now (both in IIS-Express and IIS 7.5).

Removing ",IsolateApps" from the key values solves the issue but since I need this option on in production I dont want to be removing it now only to have this issue when deploying.

What gives? The dev box is a SQL 2008 R2 box with .net 2.0 and .net 4.0.

Decline answered 21/2, 2013 at 13:3 Comment(0)

130

The IsolateApps modifier causes ASP.NET to generate a unique key for each application on your server. This is only applicable if you are getting ASP.NET to auto-generate keys at runtime.

If you are not getting ASP.NET to auto-generate keys, and are instead specifying the keys using decryptionKey="{hex-key value}", then the way to get ASP.NET to use a different key for each application is to simply specify a different key in each application's Web.config.

The IIS config GUI allows you to create a Web.config with an explicit key together with the IsolateApps modifier, which is invalid, and in my opinion is a bug in the config GUI.

Stirring answered 14/3, 2013 at 3:44 Comment(5)

Also, please consider using AES instead of DES for your decryption algorithm. – Blackmarket 22/3, 2013 at 16:45

Agreed (especially with the bug part) – Decline 16/4, 2013 at 13:38

We encountered this issue when merging an Mvc and Webforms site and it was due to the 'AntiForgeryToken()' being called, which clearly uses the machine key. – Ferebee 3/3, 2014 at 22:39

@joe-daly do you know how frequent the validation and decryption key get generated if I selected "Automatically generate at run time"? i.e. each 1 hour, IIS recycle? Just curious because I faced strange behavior when using OAuth Access tokens when this is checked. – Thermo 11/12, 2014 at 10:57

In WebForms, it is caused by MS AJAX - when it attempts to generate a WebResource URL: protected void Page_Load(object sender, EventArgs e) { string nonExistentUrl = Page.ClientScript.GetWebResourceUrl(typeof (UpdatePanel), "someFile.js"); Response.Write(nonExistentUrl); } – Aubin 6/7, 2017 at 9:44

You can fix the issue by adding the following to the machineKey element (compatibilityMode="Framework20SP1") in the web.config See Link

Embryectomy answered 28/3, 2013 at 12:39 Comment(0)

This can be fixed by adding the machineKey line into your web.config, and specifying your keys as shown below (use your own key though of course, this one is easily guessable):

<configuration>
 <system.web>
  <machineKey decryptionKey="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0" validationKey="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF00123456789ABCDEF0123456789ABCDEF0123456789ABCDEF00123456789ABCDEF0123456789ABCD" />
 </system.web>
</configuration>

Roland answered 1/11, 2016 at 21:32 Comment(0)

Recommended topics

Hot tags