should the same machine key be used in development and production environments?

Posted by Henry Troup on Server Fault See other posts from Server Fault or by Henry Troup
Published on 2010-03-30T20:44:14Z Indexed on 2010/03/30 20:53 UTC
Read the original article Hit count: 539

Filed under:

webresource.axd

|

c#

|

ASP.NET

|

iis6

|

web.config

Our production servers all have the same machine key. However, our production and development systems do not have identical machine keys. We get heaps (about one per second) of exceptions of the form

System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData()
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock()
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData()
at System.Web.UI.Page.DecryptStringWithIV()...

We deploy the code after a build, .cs source is not present on production. aspx files are present on production.

(Should I have posted in Stack Overflow? It's not a coding question.)

From experimentation, we've found using the dev machine key value causes the exceptions to go away. Does anyone have documentation that I can use with the security team on the need for identical keys at compile and deployment time?

© Server Fault or respective owner

Related posts about webresource.axd

Getting "The WebResource.axd handler must be registered in the configuration to process this request

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm getting this error while running my ASP.NET app on IIS7. I've tried doing what it says to do but it doesn't help. The WebResource.axd handler must be registered in the configuration to process this request. >  > > <configuration>… >>> More
WebResource.axd - Invalid ViewState

as seen on Stack Overflow - Search for 'Stack Overflow'
I keep seeing these errors in our error log. Any ideas how i can figure out where its coming from, or better yet how to fix the problem? System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler… >>> More
webresource.axd, scriptresource.axd and javascript files not getting cached

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I built the asp.net website in release mode, set the debug flag to false in web.config, but still some of the webresource.axd and scriptresource.axd and javascript files are not getting cached. fiddler shows the status code "200" for these items instead of "304". what else I am missing to cache… >>> More
ASP.NET Development Server - Empty webResource.axd after conversion from 2.0 to 3.5

as seen on Stack Overflow - Search for 'Stack Overflow'
I have moved a project from asp.net 2.0 to 3.5. The original project was using the atlas ajax extensions so I have modified the code to use the built in ajax features in 3.5. When running the project within the dev environemnt (VS2008 on Vista Business SP1) and using the asp.net dev server I receive… >>> More
should the same machine key be used in development and production environments?

as seen on Server Fault - Search for 'Server Fault'
Our production servers all have the same machine key. However, our production and development systems do not have identical machine keys. We get heaps (about one per second) of exceptions of the form System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at… >>> More

Related posts about c#

.NET WebRequest.PreAuthenticate not quite what it sounds like

as seen on West-Wind - Search for 'West-Wind'
I’ve run into the problem a few times now: How to pre-authenticate .NET WebRequest calls doing an HTTP call to the server – essentially send authentication credentials on the very first request instead of waiting for a server challenge first? At first glance this sound like it should be easy:… >>> More
HttpWebRequest and Ignoring SSL Certificate Errors

as seen on West-Wind - Search for 'West-Wind'
Man I can't believe this. I'm still mucking around with OFX servers and it drives me absolutely crazy how some these servers are just so unbelievably misconfigured. I've recently hit three different 3 major brokerages which fail HTTP validation with bad or corrupt certificates at least according to… >>> More
The dynamic Type in C# Simplifies COM Member Access from Visual FoxPro

as seen on West-Wind - Search for 'West-Wind'
I’ve written quite a bit about Visual FoxPro interoperating with .NET in the past both for ASP.NET interacting with Visual FoxPro COM objects as well as Visual FoxPro calling into .NET code via COM Interop. COM Interop with Visual FoxPro has a number of problems but one of them at least got a lot… >>> More
Dynamic Type to do away with Reflection

as seen on West-Wind - Search for 'West-Wind'
The dynamic type in C# 4.0 is a welcome addition to the language. One thing I’ve been doing a lot with it is to remove explicit Reflection code that’s often necessary when you ‘dynamically’ need to walk and object hierarchy. In the past I’ve had a number of ReflectionUtils that used string based expressions… >>> More
Finding a Relative Path in .NET

as seen on West-Wind - Search for 'West-Wind'
Here’s a nice and simple path utility that I’ve needed in a number of applications: I need to find a relative path based on a base path. So if I’m working in a folder called c:\temp\templates\ and I want to find a relative path for c:\temp\templates\subdir\test.txt I want to receive back subdir\test… >>> More