IIS may log CryptographicException (The data is invalid) error if a cookie is empty and corrupt. If the issue is intermittent, an immediate solution may not be needed. However, a root cause analysis can provide valuable information and prevent the issue occurring again in the future.
Here is the error message in Event Viewer:
Event code: 3005
Exception type: CryptographicException
Exception message: The data is invalid.
It’s a good idea to check application specific logs as well. In my case, the application logs showed record below.
2019-01-26 08:56:28 AM ERROR: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API. If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.
Considering the environment and issue story, the issue occurred possibly because of an empty or corrupt cookie. Since IIS doesn’t log the cookie information by default, It is not possible to tell which cookie it was.
Why a cookie becomes empty or corrupt? Possible reasons:
Having “Load User Profile” parameter set to “False” may cause CryptographicException (The data is invalid) error.
Additionally, I would recommend checking Unprotect function which mentioned in the stack trace. This function takes 3 parameters. One of them is causing this error because of an invalid input. The parameter with the issue is most likely the first one (encryptedData
). Somehow, the input that was provided to this function was not in the correct format when the issue occured. You may want to debug your source code to find out possible causes.
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
For better troubleshooting the next time, you may want to enable extra logging features:
Be aware that both of these features may cause high CPU load. It’s better to monitor the resource usage for a while after enabling them.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.