I tried this:
runas /user: domain\user cmd with no luck
This seems to only occur now when IIS is reset and I try to resume my browsing session. So I am logged into the application, I reset IIS on the server, refresh the page and see the error.
I am building an application in .NET 4.0 MVC with a Secure Token Service that is using WIF 4.0. Everything works as expected, except this case. I even tried to use a custom error page, but the error is happening there as well. Because of that, I can't get the custom page to show either. Also, This is using a certificate that is located on both load balanced servers. This happens in my dev environment whihc consists of only one server (app, wfe, db operated there)
One thing I noticed is that if I switch my IIS APP Pool user back to Network Service account it doesn't throw the error any more. We have some restrictions (mostly network related) in the application that we need to use an account in our AD for the app pool sections
Anybody have any experience with this issue?
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException: Key not valid for
use in specified state.
Source Error:
An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of
the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +428
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +54
[InvalidOperationException: ID1073: A CryptographicException occurred
when attempting to decrypt the cookie using the ProtectedData API (see
inner exception for details). If you are using IIS 7.5, this could be
due to the loadUserProfile setting on the Application Pool being set
to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +146
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[]
cookie, Boolean outbound) +113
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader
reader, SecurityTokenResolver tokenResolver) +647
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[]
token, SecurityTokenResolver tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[]
sessionCookie) +262
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken&
sessionToken) +76
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs eventArgs) +53
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
This issue is related to session cookies.
WIF protects session cookies using Data Protection API (DPAPI) by default, and the DPAPI is closely related to machine keys.
If the keys used to encrypt the session cookies change, it throws this exception.
It could be also related to your app hosting infrastructure.
if your app is running in an Network Load Balancer (NLB) environment
if you change the app pool settings (e.g., change the pool’s user)
More details about this scenario on the MSDN blog entry:
WIF 1.0 – ID1073 A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API Archive.Today Shortlink
Todd Foust (October 29, 2012)
So, if your app runs in NLB environment, you could :
Configure your load balancer to use sticky sessions. This means that your user will be directed to the same server during the session duration. (I’m not very fond of that one)
Use a certificate to encrypt the session cookies
set all web.config files to use the same machine key in system.web
If you are not running the app in a NLB env, you could try:
set the machinekey in your web.config to use a pre-defined value instead of auto-generated values
Regarding auto-generated machinekey setting, please see:
How unique is your machine key?Archive.Today Shortlink
Related
I'm running into a very weird scenario, have tried a lot of solutions and also tried searching for people having similar issues but couldn't find anything.
I have a webforms ASP.NET application for which the SSL certificate expired a couple of months ago, and we just received the renewed certificate. It was a new certificate instead of a renewal one, but issued to the same URL/SANs. It's also an internal certificate, not externally issued.
After installing the new SSL certificate in our production environment, an internal web service (asmx reference) call that we are making (to a java web service) is failing, complaining about no parameters being sent to the web service. This only happens if I browse through the SSL enabled version of the site, and only in production. The site with SSL works correctly in our dev/stage environments. Prod also works but only if I don't browse through HTTPS.
I cannot paste all the technical exception details, as it's a work related thing, but any help/guidance is appreciated.
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.Services.Protocols.SoapHeaderException: Internal Server Error (Caught exception while handling request: java.lang.Exception: Last Name and/or First Name needs to be provided.)
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at OurProgram.com.Company.corp.amssvc.DirWs2.getEmployeeDataByName(String lastName, String firstName, String attData, String strDelim) in D:\somecodehere
For additional data, it is also not an IIS website on its own, it's hosted as an application under the Default Website, which is the one that has the SSL binding for the certificat.e
Has anyone experienced this?
TL;DR -- Disabled Anonymous Authentication.
Well, after 6 hours of fiddling with and comparing IIS and website configurations, the issue was that for some reason, Anonymous Authentication got enabled somehow after the site had been restarted for the new SSL certificate to kick in. Our application is an intranet one, so the web service takes the credentials of the logged in user. When Anon Auth got enabled somehow, it must have not been passing the correct credentials.
After disabling Anonymous Authentication, the site worked just fine. While it might seem a little related in hindsight, I would've expected a different error, anything other than the web service complaining that no parameters were sent.
Hope this helps someone.
Has anyone ever come across this error? I'm getting this when I post back to a forms authenticated site after redirecting to another site and then redirecting back. I've already checked that loadUserProfiles="true" but that did not help. This is a site hosted on IISExpress via other sites also hosted on IISExpress, using localhost gen'ed SSL certs and differentiating via host header. I'm pretty clueless at this point on where the error even comes from. Is it a cookie error? The FormsAuth cookie? It's ASP.NET 4.0 site where I'm authenticating against a Thinktecture Id server. Any feedback is appreciated to help me with my current block. Thanks
Server Error in '/' Application.
The data is invalid.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The data is invalid.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: The data is invalid.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +318
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +203
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +319
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +217
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +1951
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +149
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +595
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +120
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +113
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18044
Crypto errors like this are common if your application pool is not set to load its user profile. The crypto system needs to access user's cert store.
The exact moment the error occurs is when you authenticate and the sts sends back the signed SAML token.
This means that the error is subtle. You don't see it everytime, only in one exact moment. You can even be deceived that the error is gone because the site works correctly, however the error reappears as soon as someone tries to log in.
The problem was only happening in IE9 when running in Debug mode. After awhile it went away for whatever reason. :/
I have created a Custom STS Login Application and logging in/out functionalities were working fine. But if i login as some user and do IISRESET and then reloaded the page the below error is spitted. (But as expected it works fine after I cleared the cookies and logged in again :) )
Apppool user for STS Application is "A" and he has never windows logged into the server machine, where STS Application is deployed(he is in administrators group and has access to encryption certificates).
I tried to login once as "A" in to the server(Windows Login) and after that all of a sudden this issue is solved.
Can anyone tell why was it not working after IISRESET and working after windows logging in once?
Server Error in '/’ Application.
Key not valid for use in specified state.
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)
[InvalidOperationException: 1D1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details).
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +433
Microsoft.IdentityModel .Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte] cookie, Boolean outbound) +189
Microsoft. IdentityModel .Tokens. SessionSecurityTokenHandler. ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +894
Microsoft. IdentityModel .Tokens. SessionSecurityTokenHandler. ReadToken(Byte]] token, SecurityTokenResolver tokenResolver) +118
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenrrocCookie(Byte] sessionCookie) +363
Microsoft.IdentityModel.Web. SessionAuthenticationModule.TryReadSessionTokenFroaCookie(SessionSecurityToken& sessionToken) +124
Microsoft. IdentityModel .Web. SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
System.Web.SyncEventExecutionstep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System. Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
Version Information: Microsoft .NET Framework Version:4.D.30319; ASP NET Version:4.O.30319.272
If you're running with the default WIF config, the keys used to secure the session tokens are handled through DPAPI and are stored in the user profile. These keys change on iisreset unless you configure IIS with "Load User Profile" as true.
If you're running on .NET 4.5 the easiest approach would be to configure machineKeys for your application and use the new MachineKeySessionSecurityTokenHandler, as documented in Wif and Web Farms.
I am running Dotnetnuke7 on a shared hosting environment using ASP.net 4.5 and IIS configured in integrated pipeline mode (as required by DNN7).
When I install it on a Win2008/IIS7 server (ASP4.0) at the hosting provider the application runs fine, but when I install it on a Win2008R2/IIS7.5 server at the hosting provider(ASP4.5) I get an exception Collection is read-only when trying to log-in or submitting anything to the site. (For example use DNN search function). See detailed stacktrace below.
The hosting provider checked the .net 4.5 permissions, and also applies apppool-specific permissions, but no luck yet.
Anybody a clue what IIS7.5 parameter or option can be the cause here?
Server Error in '/' Application.
Collection is read-only.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NotSupportedException: Collection is read-only.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NotSupportedException: Collection is read-only.] System.Collections.Specialized.NameObjectCollectionBase.BaseSet(String name, Object value) +6703734
System.Web.HttpServerVarsCollection.SetServerVariableManagedOnly(String name, String value) +116
System.Web.HttpServerVarsCollection.SynchronizeServerVariable(String name, String value) +28
System.Web.HttpRequest.SynchronizeServerVariable(String name, String value) +112 System.Web.Hosting.IIS7WorkerRequest.GetServerVarChanges(HttpContext ctx) +308 System.Web.Hosting.IIS7WorkerRequest.SynchronizeVariables(HttpContext context) +9676858 System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +151
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929
For anyone stumpling on this - I had this exact issue today.
Resolved by two actions for me:
Verify isapi filters in IIS for .net 4.0/4.5 etc are ALLOWED
I had installed rewriter-modules (Helicon). Once I removed these ISAPI-filters again - all worked fine.
So check isapi-filters is my advice and start without any additional filters except the needed .net filters.
I have an ASP.NET 2.0 application that is working fine in our local environment. When published to a test server, we're getting intermittent errors on the server.
Here's the most common:
Padding is invalid and cannot be removed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException:
Padding is invalid and cannot be
removed.
Source Error:
An unhandled exception was generated
during the execution of the current
web request. Information regarding the
origin and location of the exception
can be identified using the exception
stack trace below.
Stack Trace:
[CryptographicException: Padding is
invalid and cannot be removed.]
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[]
inputBuffer, Int32 inputOffset, Int32
inputCount, Byte[]& outputBuffer,
Int32 outputOffset, PaddingMode
paddingMode, Boolean fLast) +1545747
System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[]
inputBuffer, Int32 inputOffset, Int32
inputCount) +257
System.Security.Cryptography.CryptoStream.FlushFinalBlock()
+30 System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean
fEncrypt, Byte[] buf, Byte[] modifier,
Int32 start, Int32 length, Boolean
useValidationSymAlgo) +164
System.Web.UI.Page.DecryptString(String
s) +83
System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext
context) +148
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+358 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)
+64
This happens on a request to a specific WebResource.axd request.
The other error that we're seeing is this:
Validation of viewstate MAC failed.
If this application is hosted by a Web
Farm or cluster, ensure that
configuration specifies
the same validationKey and validation
algorithm. AutoGenerate cannot be used
in a cluster. Description: An
unhandled exception occurred during
the execution of the current web
request. Please review the stack trace
for more information about the error
and where it originated in the code.
Exception Details:
System.Web.HttpException: Validation
of viewstate MAC failed. If this
application is hosted by a Web Farm or
cluster, ensure that
configuration specifies the same
validationKey and validation
algorithm. AutoGenerate cannot be used
in a cluster.
This error happens occasionally while posting a form.
Now before you jump in and tell me the obvious (usual) answer to this error, consider this:
The application is deployed to Windows Server 2003 on IIS6
It is NOT on a web farm. Only one webserver is in use here.
The application pool identity is a custom service account, and I did run aspnet_regiss -ga <username> on the server. No effect.
The error is because your appdomain was recycled/restarted. When that happens the application and the machine key is set to auto, it changes. That affects the decryption of the info in the url of the resources urls (.axd). Setting up a fixed machine key will prevent it from ever happening again.
Please check this for more info on a similar case (the explanation is with an issue with viewstate validation, but the cause is the same one): http://www.developmentnow.com/blog/InvalidViewstate+Or+Unable+To+Validate+Data+Error.aspx
I also had been wondering about it for quite a while. After I saw this question it got me on it again: Is this an attempt to break my ASP.Net site's security? ... which I just answered with very much the same. I had the feeling it was around some restart of something, because when we published something that recycled the application the error showed in the log, but I didn't have any other source stating its relation (today I found that case on invalidviewstate because of the machinekey change :))
Ps. above finally explains it on single server :)
This problem appears when a post is generated before the page is fully loaded in the browser. Have a look at this question.
Ben,
For your first problem, I found this that seems to be a bit more to the point of what you are seeing in that the problem is sporadically occurring.
You should be able to find a full explanation of this at http://www.codeproject.com/KB/security/Cryptor.aspx#aes.
What you really need to do is set RijndaelAlg.Padding to PaddingMode.ISO10126, PaddingMode.PKCS7, or PaddingMode.ANSIX923. Any one of these 3 values should work, provided that you use the same value when encrypting and decrypting. Other values will work with some data, but not with all data. The above URL explains why.
What I don't understand is the reason Microsoft provides options that sometimes don't work, or at least why they don't default to a reliable option.