Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

Encrypted content in ASP.NET is not decrypted for a website that is deployed in a web farm

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 2431728 - Last Review: October 28, 2010 - Revision: 5.0

Encrypted content in ASP.NET is not decrypted or results in errors for a website that uses persisted Forms Authentication cookies or is deployed in a web farm

View products that this article applies to.

SYMPTOMS

After you apply security update MS10-070 (http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx) to servers that serve Microsoft ASP.NET websites that are deployed in a web farm, some servers or applications in the web farm may encounter one or more of the following symptoms:
  • Failure to decrypt data
  • Exceptions in the WebResource or ScriptResource handlers
  • Authentication failures when using Forms Authentication
  • "Invalid Viewstate" exceptions
  • "Unable to validate data" exceptions when trying to decrypt data such as Forms Authentication cookie
  The failure could manifest as an application exception when accessing the ASP.NET application, and information that resembles the following may also be logged in the Application log. 


Message 1:

System.Web.HttpException : Unable to validate data. at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)

Message 2:

Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1309
Date: Date
Time: Time
User: N/A
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Exception information:
Exception type: HttpException
Exception message: Unable to validate data.

Back to the top

CAUSE

The security update that bulletin MS10-070 (http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx) addresses changes the default behavior of encryption in ASP.NET. The new default behavior after the security update is installed is to perform validation in addition to encryption even if only encryption is requested. This default behavior changes the encrypted payload on servers where this update is applied. The payload may include view state and forms authentication cookies. If a web farm has only some servers on which the security update is applied, there will be a difference in encryption and decryption methods on the same payload across different servers in the web farm, and this difference in behavior results in exceptions. This behavior can also occur if forms authentication cookies that are persisted on systems before applying the security update are consumed after the security update is applied.

Also, the encryption and decryption methods are different for different service pack versions of the Microsoft .NET Framework 2.0. Therefore, having different service pack levels for the .NET Framework in a web farm environment that has the security update installed results in different encrypted payloads and a similar decryption failure.

Back to the top

RESOLUTION

Verify the following conditions are true on all the servers that are serving the ASP.NET content:
  • All servers that serve an ASP.NET website in the web farm have to install the security update. If some servers do not have the security update installed, you must apply the update to these servers.
  • All computers that are running some version of the .NET Framework 2.0 in the web farm have to be at the same service pack level if the MS10-070 security update is applied to all the systems. If there is a difference in the service pack levels on the servers, you must update all the servers to the latest service pack and reapply all security updates. Therefore, if some servers in the web farm are running the .NET Framework 2.0 SP1, and other servers are running the .NET Framework 2.0 SP2, all the .NET Framework 2.0 SP1 servers must be upgraded to the .NET Framework 2.0 SP2 before you apply the security update to all the servers in the web farm.
  • Make sure that applications are not consuming encrypted data, such as Forms Authentication cookies that were generated before the update was applied. Previously-encrypted data must be refreshed after the security update is applied.
For more information about how to detect the .NET Framework versions and for security update installation on your servers, see the “References” section.
Back to the top

REFERENCES

For more information about the ASP.NET view state, please refer to the following article:
ASP.NET View State Overview (http://msdn.microsoft.com/en-us/library/bb386448.aspx)
For more information about ASP.NET Forms Authentication, please refer to the following article:
ASP.NET Forms Authentication Overview (http://msdn.microsoft.com/en-us/library/7t6b43z4.aspx)
For more information about ASP.NET Forms Authentication tickets and cookies, click the following article number to view the article in the Microsoft Knowledge Base:
910443  (http://kbalertz.com/Feedback.aspx?kbNumber=910443/ ) Understanding the Forms Authentication Ticket and Cookie
For more information about ASP.NET Web Resource handler, click the following article number to view the article in the Microsoft Knowledge Base:
910442  (http://kbalertz.com/Feedback.aspx?kbNumber=910442/ ) Working with Web Resources in ASP.NET 2.0
Back to the top
APPLIES TO
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 1.1 Service Pack 1
Back to the top
Keywords: 
kbprb kbfix kbtshoot kbexpertiseinter kbsurveynew KB2431728
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting