I saw this error twice very recently and searching the Internet remarkably I’ve not been able to find any good explanation for it, so I hope this can be helpful in case you’ll get in trouble.
The first occurrence happened with an application hosted on a web farm, and in IE the users were getting the error “WebPartManager is undefined”. If you take a look at the HTTP traffic with Fiddler (or you look into the IIS logs) and you see you are getting error 500 on WebResource.axd, then have a look at the “TextView” tab and other tabs to carefully inspect the request you get from the server. That way, we found the real error message, which was:
Padding is invalid and cannot be removed. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [CryptographicException: Padding is invalid and cannot be removed.] System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) +1455156 System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +306 System.Security.Cryptography.CryptoStream.FlushFinalBlock() +30 System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) +159 System.Web.UI.Page.DecryptString(String s) +79 System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) +211 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +303 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
Padding is invalid and cannot be removed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.
Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: [CryptographicException: Padding is invalid and cannot be removed.] System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) +1455156 System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +306 System.Security.Cryptography.CryptoStream.FlushFinalBlock() +30 System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) +159 System.Web.UI.Page.DecryptString(String s) +79 System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) +211 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +303 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
The validationKey and decryptionKey for MachineKey were correctly set to a static value shared across all the servers on the Web Farm, but the decryption attribute was still set to “Auto”; the problem was resolved changing the decryption value to “EAS” on all servers.
In this case we were randomly getting the following (SSL was involved here, but is should not really make a difference):
Padding is invalid and cannot be removed. Url : http://MyWebSite.com/App_Themes/Default/WebResource.axd?d=h5orERdAXqJwNOs03yyPelp7bMUUMOtSL2yUIRd-eh2-cuX6WPyygZ3af2jYqwPf0GxIQ9SNZIrG5n9i8AgXUw2&t=633059379620000000 Script : /App_Themes/Default/ WebResource.axd Server.GetLastError.ToString: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) at System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExeutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Url : http://MyWebSite.com/App_Themes/Default/WebResource.axd?d=h5orERdAXqJwNOs03yyPelp7bMUUMOtSL2yUIRd-eh2-cuX6WPyygZ3af2jYqwPf0GxIQ9SNZIrG5n9i8AgXUw2&t=633059379620000000
Script : /App_Themes/Default/ WebResource.axd
Server.GetLastError.ToString: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) at System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExeutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
As you can see the stack of the error is the same. But this time we were on a single server (no Web Farm and the customer was not using Web Garden) and even if the customer had tried using a fixed MachineKey value, it did not help. Also article A System.Security.Cryptography.CryptographicException exception occurs when you try to use the RijndaelManaged class to decrypt data did not help because the customer was not working with encryption in his code.
The problem here was one of the CSS the customer was using, here is the relevant excerpt:
cursor:pointer; width:15px; height:15px; float:left; background-repeat:no-repeat;background-position:50%; background-image:url(WebResource.axd?d=h5orERdAXqJwNOs03yyPelp7bMUUMOtSL2yUIRd-e h2-cuX6WPyygZ3af2jYqwPfNQQAbG75SUCIun2YdKD8uQ2&t=633059379620000000);
As you can see the background image URL is a hardcoded WebResource.axd and is exactly the same one logged in the error…
URLs to web resources should not be hardcoded but rather we must use GetWebResourceUrl instead.
Carlo
Hi,
I'm working on a system that uses webfarms and has sticky sessions. So, would the webfarm scenario described above still be valid there? And css does not have a hardcoded WebResource.axd url. So, I don't think that's the cause of the error.
Any suggestions?
Hello,
The hardcoded WebResource.axd URL could in other files too (.js files, or in the HTML markup, or in .NET code...), the error would be the same.
Other than that I think you're right, the problem should be investigated somewhere else
I've checked everywhere. I can't the string WebResource.axd or ScriptResource.axd anywhere in the solution except in the web config where the ScriptResource is defined in the handlers section of <system.webServer>
What should I be looking for?