WebResource.axd Length of the data to decrypt is invalid

Question

I have a lot of errors in the event viewer that look like this. I have investigated all possible solutions and still haven't found one that works;

The website is part of a webfarm; session state is stored in a state server; machinekey is the same on all servers; i even used iiscfg to copy iis settings on all servers... still no success; in IIS, on properties of the website, I made sure that the "verify if file exists" is unchecked for axd mappings...

I tried adding in httphandlers the following line:

<add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="True" />

but still no success...

I really have no idea of how to get rid of this error. If anyone could help me I would appreaciate it!

The entire stack trace is:

 Request URL: http://xxxxxxx/WebResource.axd?d=Nu8EdkxldHhw5_nYPoeh3y1EbfLckWGua0HevmQkJr6irkrdL4WYMMP0l2yqOwM7Sd85LYeggTTTURTygkW9tqcBk1Q1&t=634242073212638436 
    Request path: /WebResource.axd 


 at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)
   at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType)
   at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Answer 1

You might want a look at this:

http://jagbarcelo.blogspot.com/2009/08/solution-padding-invalid-cannot-be.html

Note that we had a similar problem and setting the validation and decryption attributes of the machine key section in the web.config seemed to help, e.g.:

<machineKey validationKey='blah' decryptionKey='blah' validation='AES' decryption='AES'/>

Answer 2

I finally managed to fix these error... it was a security update which was not installed on all servers and caused the encryption to provide different values even though the machine key was the same on all servers.

Installed it and now it's ok

Answer 3

We had a web farm and found the root cause was that not all servers were running at the same Microsoft Windows patch level. Once we brought them all up to the same patch level, the errors went away.

Answer 4

Hoping to add more details on this issue, and some search terms!

The issue manifests as an ASP.Net error on requests to WebResource.axd and ScriptResource.axd such as:

http//mysite/MyApplication/WebResource.axd?d=966IInUloJ...&t=6332662...

This will cause images, scripts, stylesheets and other resources delivered this way to fail. You will notice that the 'd' parameter on the query string will differ on some of your hosts, despite having same validationKey etc... Once fixed, you can test the same querystring on all your hosts.

---

Server Error in '/MyApplication' Application.

Length of the data to decrypt is invalid.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Length of the data to decrypt is invalid.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: Length of the data to decrypt is invalid.]
   System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +7588941
   System.Security.Cryptography.CryptoStream.FlushFinalBlock() +33
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) +225
   System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) +85
   System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) +179
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Version Information: Microsoft .NET Framework Version:2.0.50727.5653; ASP.NET Version:2.0.50727.4444

---

In the windows event log you may see the error:

---

Event Type:   Warning
Event Source: ASP.NET 2.0.50727.0
Event Category:      Web Event 
Event ID:     1309
Date:         5/23/2011
Time:         3:31:13 PM
User:         N/A
Computer:     MYHOST
Description:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 5/23/2011 3:31:13 PM 
Event time (UTC): 5/23/2011 7:31:13 AM 
Event ID: a66bd05b39c34da6bc3bfd349aefdf24 
Event sequence: 71 
Event occurrence: 21 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/98/Root/MyApplication... 
    Trust level: Full 
    Application Virtual Path: /MyApplication
    Application Path: d:\inetpub\mysite\MyApplication\ 
    Machine name: MYHOST 

Process information: 
    Process ID: 15328 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Exception information: 
    Exception type: CryptographicException 
    Exception message: Length of the data to decrypt is invalid. 

Request information: 
    Request URL: http://mysite/MyApplication/ScriptResource.axd?d=...&t=...

    Request path: /MyApplication/ScriptResource.axd 
    User host address: 1.1.1.1
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Thread information: 
    Thread ID: 9 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)
   at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType)
   at System.Web.UI.Page.DecryptString(String s)

---

The update in question is MS10-070. Even if you host believes it's installed, you may need to reinstall it to fix subsequently altered libraries or something.

Of note in this update is KB2431728 - Encrypted content in ASP.NET is not decrypted or results in errors for a website that uses persisted Forms Authentication cookies or is deployed in a web farm - refer to the details.

some servers or applications in the web farm may encounter one or more of the following symptoms:... Exceptions in the WebResource or ScriptResource handlers

...

The security update that bulletin MS10-070 (http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx) addresses changes the default behavior of encryption in ASP.NET.

...

All servers that serve an ASP.NET website in the web farm have to install the security update. If some servers do not have the security update installed, you must apply the update to these servers.