0

I understand why I'm getting this error, but am having a problem trying to implement a solution.

The original error was the following:

Viewstate verification failed. Reason. The viewstate supplied failed integrity check.

I have tried overriding the machine.config file by adding a machineKey property in the web.config file of the application. I have tried three different versions of this file and am still coming out with the same error: Unrecognized attribute 'decryption'

Here are the three versions of the machineKey attribute I've used: Note that the generated key was retrieved from the following website: http://aspnetresources.com/tools/machineKey

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />

<machineKey compatibilityMode="Framework20SP1" validationKey="..." decryptionKey="..." validation="SHA1" decryption="DES" />

<machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="DES" />

Note that the web servers are using the .Net 1.1 Framework and using IIS 6. I know the above solutions work for .Net 2.0+, but have never encountered this for the .Net 1.1 version.

Can someone please inform me the correct usage of how to get around this error for the .Net 1.1 version and IIS 6?

PRODUCTION ERROR:

Event code: 4009 
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check. 
Event time: 2/24/2014 9:47:08 AM 
Event time (UTC): 2/24/2014 2:47:08 PM 
Event ID: 4707606054774e39803ddd3faec745ca 
Event sequence: 956 
Event occurrence: 1 
Event detail code: 50203 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT-1-130377033905397700 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: D:\SMOSingleSignon\ 
    Machine name: SMOBL01 

Process information: 
    Process ID: 27444 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Request information: 
    Request URL: http://smons/smo.aspx 
    Request path: /smo.aspx 
    User host address: 168.110.83.66 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

ViewStateException information: 
    Exception message: Invalid viewstate. 
    Client IP: 168.110.83.66 
    Port: 8293 
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 
    PersistedState: /GWLRu4X63VsbJHek4225SYOqaUFQjF5g+joBkW/kl6+e6KzS5Dt8euAfW3wDOEGZHYcMxltJD1on4vH38qOsyYTbbPB6ciMbCWRVMNz5k6fTxp+d9MVukREFed03OjlMHWb/Qi/lVopMxL2uHgF/tYiFhEjxg7qr++7VLhb2HpApF6S2V1pzgDN7guxr8HEFED4z9l1ei5wC8WiOkHdLjhIg9XChjZ7X2d/Qu2RV/d7Q59CZNGt/srNRSRvchy3mQGPZTDwQSd/H+LVjUVRVpmXpzGHuIXi8KJseV8bFjrTrwmhTBEPJZQjiBdJsOlm 
    Referer: http://smons/smo.aspx 
    Path: /smo.aspx

UPDATED WEB.CONFIG

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

  <system.web>
    <!--<machineKey validationKey="..." validation="SHA1" /> -->
    <machineKey validationKey="..." decryptionKey="..." validation="3DES" />    
    <!--  DYNAMIC DEBUG COMPILATION
          Set compilation debug="true" to insert debugging symbols (.pdb information)
          into the compiled page. Because this creates a larger file that executes
          more slowly, you should set this value to true only when debugging and to
          false at all other times. For more information, refer to the documentation about
          debugging ASP.NET files.
    -->
    <compilation defaultLanguage="vb" debug="false" />

    <!--  CUSTOM ERROR MESSAGES
          Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable. 
          Add <error> tags for each of the errors you want to handle.

          "On" Always display custom (friendly) messages.
          "Off" Always display detailed ASP.NET error information.
          "RemoteOnly" Display custom (friendly) messages only to users not running 
           on the local Web server. This setting is recommended for security purposes, so 
           that you do not display application detail information to remote clients.
    -->
    <customErrors mode="Off" />

    <!--  AUTHENTICATION 
          This section sets the authentication policies of the application. Possible modes are "Windows", 
          "Forms", "Passport" and "None"

          "None" No authentication is performed. 
          "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to 
           its settings for the application. Anonymous access must be disabled in IIS. 
          "Forms" You provide a custom form (Web page) for users to enter their credentials, and then 
           you authenticate them in your application. A user credential token is stored in a cookie.
          "Passport" Authentication is performed via a centralized authentication service provided
           by Microsoft that offers a single logon and core profile services for member sites.
    -->
    <authentication mode="Windows" /> 


    <!--  AUTHORIZATION 
          This section sets the authorization policies of the application. You can allow or deny access
          to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous 
          (unauthenticated) users.
    -->
    <authorization>
        <allow users="*" /> <!-- Allow all users -->

            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

    <!--  APPLICATION-LEVEL TRACE LOGGING
          Application-level tracing enables trace log output for every page within an application. 
          Set trace enabled="true" to enable application trace logging.  If pageOutput="true", the
          trace information will be displayed at the bottom of each page.  Otherwise, you can view the 
          application trace log by browsing the "trace.axd" page from your web application
          root. 
    -->
    <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />


    <!--  SESSION STATE SETTINGS
          By default ASP.NET uses cookies to identify which requests belong to a particular session. 
          If cookies are not available, a session can be tracked by adding a session identifier to the URL. 
          To disable cookies, set sessionState cookieless="true".
    -->

    <sessionState 
            mode="InProc"
            stateConnectionString="tcpip=999.0.0.9:99999"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false" 
            timeout="20" 
    />
<!--    
    <sessionState mode="StateServer"
        stateConnectionString="tcpip=999.0.0.9:99999"
        cookieless="false"
        timeout="180"/>
-->
    <!--  GLOBALIZATION
          This section sets the globalization settings of the application. 
    -->
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

  </system.web>
 <appSettings>
        <add key="SingleSignonSOAPEndPoint" value="http://localhost/SMOWebServices/SMOSingleSignon.asmx"/>
        <add key="MSSQLSVR" value="SSCPPSRDBB\PROD"/>
        <add key="MSSQLDB"  value="SMO"/>
        <add key="MSSQLUID" value="smoss"/>
        <add key="MSSQLPWD" value="smo0ss0$"/>
        <add key="Message"  value="SMO 4.1C10"/>
        <add key="JWalkServerHost" value = "SMOBL01"/>  
        <add key="ProdFlag" value="T"/>
        <add key="DB400UID" value="SMOAPPL"/>
        <add key="DB400PWD" value="SMOAPPL"/>   
        <add key="MGPSQLDB"  value="General_Purpose"/>
  </appSettings>

</configuration>
Yuhong Bao
  • 3,891
  • 1
  • 19
  • 20
sagesky36
  • 4,542
  • 19
  • 82
  • 130

1 Answers1

2

Remove the "decryption" and "compatibilityMode" attributes from the <machineKey> element. .NET 1.1 doesn't support them.

Additionally, you should never use a machine key that you didn't generate yourself. Otherwise you're trusting that the third party that gave you the key isn't logging it and using it for nefarious purposes. You can generate random values securely on your own machine by following the instructions at http://msdn.microsoft.com/en-us/library/ms998288.aspx#paght000007_webfarmdeploymentconsiderations.

Levi
  • 32,628
  • 3
  • 87
  • 88
  • Levi, I removed both properties as you suggested, but am now getting the following error. How should I proceed now? "Machine decryption key is invalid. It is '64' chars long. It should be either "AutoGenerate", or 16 (for DES) Hex chars long, or 48 (for Triple-DES) Hex chars long, and may be followed by ",IsolateApps". – sagesky36 Feb 05 '14 at 18:29
  • Per the error message, trim the decryption key to 48 characters. – Levi Feb 05 '14 at 20:07
  • Levi, as per the docs, I ran the app and generated a key. So, are the only properties I need to put on the "machineKey" node the "decryptionKey" (where the generated key will go) and "validation" (which I put 3DES for a 48 bit generated key)? – sagesky36 Feb 05 '14 at 20:36
  • You'll need to specify "validationKey" at minimum if you're in a farm. If you want __VIEWSTATE to be encrypted, you'll additionally need to specify "validation" (set to "3DES") and "decryptionKey" (set to your 48-character 3DES key). – Levi Feb 05 '14 at 21:01
  • Thanks for your input. What value should the "validationKey" property be set to? A key was generated by the program, but I don't know if I'm supposed to use that key in BOTH the "validationKey" or "decryptionKey" properties. I have the "decryptionKey" and "validation" properties set up as you described, but am unsure about the "validationKey" value. – sagesky36 Feb 05 '14 at 23:16
  • The "decryptionKey" and "validationKey" values must be different. Use a random string of at least 32 hex characters (40 characters is preferred) for the validation key. – Levi Feb 06 '14 at 07:32
  • Levi, I'm confused... The "decryptionKey" I'm using is the following: 3DES. I set the "decryptionKey" to 24 bytes (48 hexadecimal characters) as per your referred link. I don't see anywhere in your referred link of generating a key of 32 hex characters. How do I go about doing that? The app only accepts 128, 64 and 48 hex keys. – sagesky36 Feb 06 '14 at 16:28
  • Do I need to run the app again to generate another 48 hex key value and use that for the validation key? I'm unsure of what to use for the validationKey and how to produce it... – sagesky36 Feb 06 '14 at 16:31
  • Yes, run the app again and generate a *different* hex string for the validation key. Truncate the validation key to no fewer than 32 (preferably 40) hex characters. – Levi Feb 06 '14 at 17:00
  • Thanks Levi... We applied the updated config file to just one server and no problems. We'll need to apply that same fix to several servers on the web farm with the other web.config files and will let you know how it turns out. Thanks so much for your help so far... – sagesky36 Feb 11 '14 at 15:01
  • Levi, we just implemented into PROD today and everything worked fine. Thanks a lot for your help. I checked the question as answered :) – sagesky36 Feb 24 '14 at 13:22
  • Levi, the previous comment was a bit premature. I will edit my message and show you the exact error we are getting. If you can shed any new light on what might be happening, I would appreciate it. – sagesky36 Feb 24 '14 at 19:07
  • Levi, I will modify my question again to list what the updated web.config file looks like. Note that this is for a .Net 1.1 framework. – sagesky36 Feb 24 '14 at 19:35