Home
%3CLINGO-SUB%20id%3D%22lingo-sub-501145%22%20slang%3D%22en-US%22%3ERoot%20Cause%20Analysis%20for%20CryptographicException%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-501145%22%20slang%3D%22en-US%22%3E%3CP%3EIIS%20may%20log%20%3CSTRONG%3ECryptographicException%20(The%20data%20is%20invalid)%3C%2FSTRONG%3E%20error%20if%20a%20cookie%20is%20empty%20and%20corrupt.%20If%20the%20issue%20is%20intermittent%2C%20an%20immediate%20solution%20may%20not%20be%20needed.%20However%2C%20a%20root%20cause%20analysis%20can%20provide%20valuable%20information%20and%20prevent%20the%20issue%20occurring%20again%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EHere%20is%20the%20error%20message%20in%20Event%20Viewer%3A%3C%2FP%3E%0A%3CP%3EEvent%20code%3A%203005%20%3CBR%20%2F%3EException%20type%3A%20CryptographicException%20%3CBR%20%2F%3EException%20message%3A%20The%20data%20is%20invalid.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20638px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111017iAA94286145C15E5F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%225.jpg%22%20title%3D%225.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIt%E2%80%99s%20a%20good%20idea%20to%20check%20application%20specific%20logs%20as%20well.%20In%20my%20case%2C%20the%20application%20logs%20showed%20record%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E2019-01-26%2008%3A56%3A28%20AM%20ERROR%3A%20ID1073%3A%20A%20CryptographicException%20occurred%20when%20attempting%20to%20decrypt%20the%20cookie%20using%20the%20ProtectedData%20API.%20If%20you%20are%20using%20IIS%207.5%2C%20this%20could%20be%20due%20to%20the%20loadUserProfile%20setting%20on%20the%20Application%20Pool%20being%20set%20to%20false.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CH2%20id%3D%22toc-hId-1730499484%22%20id%3D%22toc-hId-1730503327%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--821657477%22%20id%3D%22toc-hId--821653634%22%3ERoot%20Cause%20Analysis%3C%2FH2%3E%0A%3CP%3EConsidering%20the%20environment%20and%20issue%20story%2C%20the%20issue%20occurred%20possibly%20because%20of%20an%20empty%20or%20corrupt%20cookie.%20Since%20IIS%20doesn%E2%80%99t%20log%20the%20cookie%20information%20by%20default%2C%20It%20is%20not%20possible%20to%20tell%20which%20cookie%20it%20was.%3C%2FP%3E%0A%3CP%3EWhy%20a%20cookie%20becomes%20empty%20or%20corrupt%3F%20Possible%20reasons%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ENetwork%20issues%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EClosing%20the%20browser%20before%20the%20request%20is%20prepared%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EBrowser%20crash%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-921152858%22%20id%3D%22toc-hId-921156701%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1631004103%22%20id%3D%22toc-hId--1631000260%22%3ESolutions%3C%2FH2%3E%0A%3CP%3EHaving%20%E2%80%9CLoad%20User%20Profile%E2%80%9D%20parameter%20set%20to%20%E2%80%9CFalse%E2%80%9D%20may%20cause%20CryptographicException%20(The%20data%20is%20invalid)%20error.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20520px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111018iFC45CBDA793D092E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%226.jpg%22%20title%3D%226.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdditionally%2C%20I%20would%20recommend%20checking%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fsystem.security.cryptography.protecteddata.unprotect%3Fview%3Dnetframework-4.7.2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUnprotect%3C%2FA%3E%20function%20which%20mentioned%20in%20the%20stack%20trace.%20This%20function%20takes%203%20parameters.%20One%20of%20them%20is%20causing%20this%20error%20because%20of%20an%20invalid%20input.%20The%20parameter%20with%20the%20issue%20is%20most%20likely%20the%20first%20one%20(%3CCODE%3EencryptedData%3C%2FCODE%3E).%20Somehow%2C%20the%20input%20that%20was%20provided%20to%20this%20function%20was%20not%20in%20the%20correct%20format%20when%20the%20issue%20occured.%20You%20may%20want%20to%20debug%20your%20source%20code%20to%20find%20out%20possible%20causes.%3C%2FP%3E%0A%3CP%3ESystem.Security.Cryptography.ProtectedData.Unprotect(Byte%5B%5D%20encryptedData%2C%20Byte%5B%5D%20optionalEntropy%2C%20DataProtectionScope%20scope)%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-111806232%22%20id%3D%22toc-hId-111810075%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1854616567%22%20id%3D%22toc-hId-1854620410%22%3EFuture%20occurrences%3C%2FH2%3E%0A%3CP%3EFor%20better%20troubleshooting%20the%20next%20time%2C%20you%20may%20want%20to%20enable%20extra%20logging%20features%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EFailed%20Request%20Tracing%20for%20302%20errors%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3ECookie%20logging%20(IIS%20%26gt%3B%20Website%20%26gt%3B%20Logging%20%26gt%3B%20Select%20Fields%20%26gt%3B%20Cookie%20(cs(Cookie))%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20386px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111019i8EC5A8EFD87DFA57%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%227.png%22%20title%3D%227.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBe%20aware%20that%20both%20of%20these%20features%20may%20cause%20high%20CPU%20load.%20It%E2%80%99s%20better%20to%20monitor%20the%20resource%20usage%20for%20a%20while%20after%20enabling%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-501145%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIIS%20may%20log%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bold%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECryptographicException%20(The%20data%20is%20invalid)%3C%2FSTRONG%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%20error%20if%20a%20cookie%20is%20empty%20and%20corrupt.%20If%20the%20issue%20is%20intermittent%2C%20an%20immediate%20solution%20may%20not%20be%20needed.%20However%2C%20a%20root%20cause%20analysis%20can%20provide%20valuable%20information%20and%20prevent%20the%20issue%20occurring%20again%20in%20the%20future.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

IIS may log CryptographicException (The data is invalid) error if a cookie is empty and corrupt. If the issue is intermittent, an immediate solution may not be needed. However, a root cause analysis can provide valuable information and prevent the issue occurring again in the future.

 

Here is the error message in Event Viewer:

Event code: 3005
Exception type: CryptographicException
Exception message: The data is invalid.

5.jpg

It’s a good idea to check application specific logs as well. In my case, the application logs showed record below.

 

2019-01-26 08:56:28 AM ERROR: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API. If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

 

Root Cause Analysis

Considering the environment and issue story, the issue occurred possibly because of an empty or corrupt cookie. Since IIS doesn’t log the cookie information by default, It is not possible to tell which cookie it was.

Why a cookie becomes empty or corrupt? Possible reasons:

  • Network issues
  • Closing the browser before the request is prepared
  • Browser crash

 

Solutions

Having “Load User Profile” parameter set to “False” may cause CryptographicException (The data is invalid) error.

 

6.jpg

 

Additionally, I would recommend checking Unprotect function which mentioned in the stack trace. This function takes 3 parameters. One of them is causing this error because of an invalid input. The parameter with the issue is most likely the first one (encryptedData). Somehow, the input that was provided to this function was not in the correct format when the issue occured. You may want to debug your source code to find out possible causes.

System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)

 

Future occurrences

For better troubleshooting the next time, you may want to enable extra logging features:

  • Failed Request Tracing for 302 errors
  • Cookie logging (IIS > Website > Logging > Select Fields > Cookie (cs(Cookie))

7.png

 

Be aware that both of these features may cause high CPU load. It’s better to monitor the resource usage for a while after enabling them.