MachineKey.Protect/Unprotect breaks when enabling 32 bit applications

Question

I am using the .net MachineKey.Protect method to encrypt a token in one application and the corresponding MachineKey.Unprotect method to verify the token in a different application.

Everything works fine until I have to set Enable 32-Bit Applications to True in IIS to get some other code to run. Then the MachineKey.Unprotect method throws an exception

Error occurred during a cryptographic operation.

I have tried this with both applications in the same app pool, and both in different app pools, and all combinations of the setting. Anything apart from the Enable 32-Bit Applications set to False in all instances results in the error.

Any ideas on what might be causing this?

Answer 1

The answer to my problem was to specify a fixed machine key in both versions of machine.config

C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config

and

C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config

adding this element in <system.web>

<machineKey validationKey="C3A9A590C67C27D96650E4EF5F586943A641187F5655052C3EB0BAC852CAA7D094D21376D4C8D91E989A36D9D2BF868B3CA63493AC6358B0415C1E34E1B8C346"
        decryptionKey="C6E83A1393A826814BE889349CBFDFBFCDC9318313616EDD" 
        validation="HMACSHA512" decryption="AES" />

I am still unsure as to why this works. IIS was set to use a server wide machine key in IIS Manager. The clue to solving the problem came when I tried to search for the existing keys in the machine.config files.

You still need to ensure that both applications are running in the same mode.

You can even encrypt in one application running with Enable 32-Bit Applications set to True and decrypt in another with Enable 32-Bit Applications set to False if you set the machine key in the applications' web.config

EDIT

Since trying to deploy it to a server running Server 2008 we found it was necessary to amend 4 machine.config files:

C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config

Still don't really know why

Answer 2

I actually don't know for sure, but the Enable 32bit applications changes the working process bitness.

On 32bit system it does nothing.

On x64 system, when it is set to false (default), IIS worker processes work in x64 mode and use 64bit environment (path, registry, etc). But when this setting is set to true , related worker processes are launched in x86 mode, and use 32bit (syswow) environment - settings, executables, com components, etc - may disappear or different versions may show up. That's because syswow environament uses different system paths, different registry locations, etc.

I wouldn't be suprised to see that the encryption keys stored for normal and syswow environments are different. Whatever you were using for encrypting, try launching that in 32bit mode and retry.

Also, Error occurred during a cryptographic operation. doesnt tell much, really. Have you checked stacktrace or innerexceptions?

Answer 3

从 32 位切换到 64 位应用程序将导致加载不同的 machine.config，如果 machine.config 为 machinekey 指定不同的值，这可能会导致问题，直到并包括密钥的差异，或默认密钥的方式生成。