0
votes

I am encrypting data into a cookie via FormsAuthentication.Encrypt(data) in a .Net 4.0 ASP.Net web application deployed on a development web farm. I have specified a machineKey attribute to hard-code the ValidationKey, DecryptionKey, and Decryption (algorithm).
Now, I am trying to decrypt that cookie using an application i built on my development workstation. I am able to get the cookie via Request.Cookies["CookieName"] but when I attempt to decrypt the value via FormsAuthentication.Decrypt(encCookie), I get the following error:

Unable to validate data. at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo, Boolean useLegacyMode, IVType ivType, Boolean signData) at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket) at TuoVanitySite.Default.Page_Load(Object sender, EventArgs e) in c:\src\ets_2008\main\ebtDev\Sandboxes\rrozinov\TuoVanitySite\TuoVanitySite\Default.aspx.cs:line 22

Here is blurp from my web config (keys were removed):

<machineKey 
  validationKey="keyA" 
  decryptionKey="keyB" 
  decryption="3DES" 
  compatibilityMode="Framework20SP1"/>

Anyone has dealt with this situation where machineKey was not enough?

2

2 Answers

1
votes

Ok, I was able to find a solution for my problem however i am not sure why this works. I had to add the validation attribute to the machineKey:

<machineKey 
  validationKey="keyA" 
  decryptionKey="keyB" 
  validation="SHA1"
  decryption="3DES" 
  compatibilityMode="Framework20SP1"/>

What makes it a bit interesting is the fact that regardless whether i put SHA1 or 3DES, my code can decrypt just fine. I did confirm that server is using default SHA1. I am still open to find a root cause for educational purposes.

0
votes

as is mentioned in the "How To: Configure MachineKey in ASP.NET 2.0" article :

HMACSHA1 is used even if validation is set to AES or 3DES

So it may be the case that if the compatibility mode is set to Framework20SP1 or Framework20SP2 then it uses SHA1 regardless of what is set in the validation attribute.

I'm struggling with similar task at the moment - setting up single sign on between ASP.Net 4.0 and 3.5SP1 web applications that are deployed on IIS8 on Windows Server 2012. It gets more complicated because Win2k12 has .Net 4.5.1 which is an "in-place" upgrade to 4.0...