Uncategorized

“Padding is invalid an cannot be removed” or “WebPartManager is undefined”

I saw this error twice very recently and searching the Internet remarkably I’ve not been able to find any good explanation for it, so I hope this can be helpful in case you’ll get in trouble.

Web Farm?

The first occurrence happened with an application hosted on a web farm, and in IE the users were getting the error “WebPartManager is undefined”. If you take a look at the HTTP traffic with Fiddler (or you look into the IIS logs) and you see you are getting error 500 on WebResource.axd, then have a look at the “TextView” tab and other tabs to carefully inspect the request you get from the server. That way, we found the real error message, which was:

Padding is invalid and cannot be removed.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.

Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[CryptographicException: Padding is invalid and cannot be removed.]
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) +1455156
System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +306
System.Security.Cryptography.CryptoStream.FlushFinalBlock() +30 System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) +159
System.Web.UI.Page.DecryptString(String s) +79
System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) +211
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +303
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

The validationKey and decryptionKey for MachineKey were correctly set to a static value shared across all the servers on the Web Farm, but the decryption attribute was still set to “Auto”; the problem was resolved changing the decryption value to “EAS” on all servers.

Hardcoded links to resources

In this case we were randomly getting the following (SSL was involved here, but is should not really make a difference):

Padding is invalid and cannot be removed.

Url : http://MyWebSite.com/App_Themes/Default/WebResource.axd?d=h5orERdAXqJwNOs03yyPelp7bMUUMOtSL2yUIRd-eh2-cuX6WPyygZ3af2jYqwPf0GxIQ9SNZIrG5n9i8AgXUw2&t=633059379620000000

Script : /App_Themes/Default/ WebResource.axd

Server.GetLastError.ToString: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo) at System.Web.UI.Page.DecryptString(String s)
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExeutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

As you can see the stack of the error is the same. But this time we were on a single server (no Web Farm and the customer was not using Web Garden) and even if the customer had tried using a fixed MachineKey value, it did not help. Also article A System.Security.Cryptography.CryptographicException exception occurs when you try to use the RijndaelManaged class to decrypt data did not help because the customer was not working with encryption in his code.

The problem here was one of the CSS the customer was using, here is the relevant excerpt:

cursor:pointer; width:15px; height:15px; float:left; background-repeat:no-repeat;background-position:50%;
background-image:url(WebResource.axd?d=h5orERdAXqJwNOs03yyPelp7bMUUMOtSL2yUIRd-e h2-cuX6WPyygZ3af2jYqwPfNQQAbG75SUCIun2YdKD8uQ2&t=633059379620000000);

As you can see the background image URL is a hardcoded WebResource.axd and is exactly the same one logged in the error…

URLs to web resources should not be hardcoded but rather we must use GetWebResourceUrl instead.

 

Carlo

Quote of the day:

Everything is vague to a degree you do not realize till you have tried to make it precise. – Bertrand Russell

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.