Error When You Use 3DES Encryption with Manual Keys in Web.config file of ASP.NET Application (317054)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework) 1.0
This article was previously published under Q317054

SYMPTOMS

When you use the 3DES encryption type for the validation attribute of the <machineKey> tag in the Web.config file for the application, if you specify a manual key for the validationKey and the decryptionKey attributes, you receive the following error message when you browse to .aspx pages on the application:
Server Error in '/WebApplication1' Application.

Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.]
System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count) +0
System.Web.Configuration.MachineKey.GetEncodedData(Byte[] buf, String strModifier, Int32 start, Int32 length) +716
System.Web.UI.LosWriter.CompleteTransforms(TextWriter output, Boolean enableMac, String macKey) +187
System.Web.UI.LosFormatter.SerializeInternal(TextWriter output, Object value) +122
System.Web.UI.Page.OnFormRender(HtmlTextWriter writer, String formUniqueID) +143
System.Web.UI.HtmlControls.HtmlForm.RenderChildren(HtmlTextWriter writer) +35
System.Web.UI.HtmlControls.HtmlForm.Render(HtmlTextWriter output) +395
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +243
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +72
System.Web.UI.Control.Render(HtmlTextWriter writer) +7
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +243
System.Web.UI.Page.ProcessRequestMain() +1900

RESOLUTION

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Microsoft Visual Studio .NET service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later: 
   Date        Time    Version       Size       File name       Platform
   ---------------------------------------------------------------------
   25-Jan-2002 09:47   1.0.3705.202  1,183,744  System.Web.dll  x86

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Steps to Reproduce the Behavior

  1. Create an application, and then add the following code (or similar) to the Web.config file in the root directory of the application: 
    <configuration><system.web>
      <authentication mode="Forms" >
   
	<forms  name=".ASPXAUTH" loginUrl = "login.aspx" protection="All"  >
	   <credentials passwordFormat = "Clear">
 		<user name="user" password="password" />
	   </credentials>
	</forms>

      </authentication>

      <authorization>
	   <deny users="?" /> 
      </authorization>
        <machineKey 
           validationKey="A29D235A751E2BF8209E351E49D50C5DDFE375614A155AC20A929B462D82"
           decryptionKey="F65F0153624D903A3481220D07EA1D3A375C3053CC5A6363"
           validation="SHA1"/>
</system.web>
</configuration>
    With this code, the Web.config file specifies the following:
    • A valid random key of size 60 for the validationKey attribute.
    • A valid random key of size 48 for the decryptionKey attribute.
    • A validation attribute of SHA1.


  2. Request the Default.aspx page. Provide valid credentials (user, password), and then click Submit.
  3. Change the validation algorithm from SHA1 to 3DES.
  4. Refresh the Default.aspx page in the browser. You receive the error message that is listed in the "Symptoms" section.
Modification Type:MinorLast Reviewed:10/11/2005
Keywords:kbHotfixServer kbQFE kbbug kbConfig kbfix kbQFE kbweb KB317054
©2004 Microsoft Corporation. All rights reserved.