Unable to validate data error with machine key set to SHA1

Question

I have a simple .net application using the .NET 2.0 runtime in IIS 7.5 where I've changed the machine key in the web.config to use the following:

  <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>

This works fine locally, but when I publish to the server I get an "HttpException (0x80004005): Unable to validate data" whenever browsing the site. I've made sure to set compilation debug="false". Setting the validation method to 3DES eliminates this issue, but we have a requirement to work with SHA1. Is there some configuration option I'm missing here? see the stack trace below.

 [HttpException (0x80004005): Unable to validate data.] System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData) +1008 System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) +91 System.Web.UI.Page.EncryptStringWithIV(String s, IVType ivType) +83 System.Web.UI.Page.EncryptString(String s) +30 System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1497 System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +1148 System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +152 System.Web.Handlers.ScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +37 System.Web.UI.ScriptManager.GetScriptResourceUrl(String resourceName, Assembly assembly) +105 System.Web.UI.ScriptRegistrationManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +113 System.Web.UI.ScriptManager.System.Web.UI.IScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +14 System.Web.UI.ClientScriptManager.RegisterClientScriptResource(Control control, Type type, String resourceName) +53 System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e, Boolean registerScript) +113 System.Web.UI.WebControls.Menu.OnPreRender(EventArgs e) +25 System.Web.UI.Control.PreRenderRecursiveInternal() +80 System.Web.UI.Control.PreRenderRecursiveInternal() +171 System.Web.UI.Control.PreRenderRecursiveInternal() +171 System.Web.UI.Control.PreRenderRecursiveInternal() +171 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +842 

Answer 1

Are you running the application in an truly .NET 2.0 app-pool? (I am asking because you are using IIS 7.5).

If not, bear in mind that there has been a change in the encryption algorithms in the .NET 4.5 framework.

If you need to be compatible with the < .NET 4.5 Framework you will need a compatibility tag:

<machineKey compatibilityMode="Framework20SP1" />  

See http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx or http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx for details.

Answer 2

我发现当“系统密码学：使用fips兼容算法进行加密，散列和签名”（安全设置>>本地策略>> securityOptions）的本地安全策略设置为true时，Sha1将无法正常工作，这就是原因为什么我在这种情况下得到错误。