DataProtection: XmlNamespace, Configuration, Options

[kscott5]

After review the following error and the associated assembly source, I'm led to believe this error is associated with configuring, the equivalent machineKey section found in the machine or web.config, DataProtection.

For example the CngCbcAuthenticatedEncryptorConfiguration.cs references the http://www.asp.net/2014/dataProtection/cng xmlnamespace. I also found the CngCbcAuthenticatedEncryptorConfigurationOptions.cs which implies configuring the option in Startup.cs.

One final thought, I aslo found https://support.microsoft.com/kb/2915218 which contains powershell scripts for Generate-MachineKey or Provision-AutoGenKeys.

So, what is the preferred way to configure the DataProtection to avoid the error below?

An unhandled exception occurred while processing the request.
CryptographicException: Key not valid for use in specified state.

Microsoft.AspNet.Security.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiImpl(Byte* pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32 cbOptionalEntropy)

Stack 
Query 
Cookies 
400 Headers 
Environment 
CryptographicException: Key not valid for use in specified state. 
Microsoft.AspNet.Security.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapiImpl(Byte* pbProtectedData, UInt32 cbProtectedData, Byte* pbOptionalEntropy, UInt32 cbOptionalEntropy)
Microsoft.AspNet.Security.DataProtection.Cng.DpapiSecretSerializerHelper.UnprotectWithDpapi(Byte[] protectedSecret)
400 
Microsoft.AspNet.Security.DataProtection.XmlEncryption.DpapiXmlDecryptor.Decrypt(XElement encryptedElement)
Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptorConfigurationXmlReader.FromXml(XElement element)
Microsoft.AspNet.Security.DataProtection.KeyManagement.XmlKeyManager.ParseKeyElement(XElement keyElement)
Microsoft.AspNet.Security.DataProtection.KeyManagem 400 ent.XmlKeyManager.GetAllKeys()
Microsoft.AspNet.Security.DataProtection.KeyManagement.KeyRingProvider.CreateCachedKeyRingInstanceUnderLock(DateTime utcNow, CachedKeyRing existingCachedKeyRing)
Microsoft.AspNet.Security.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRing()
Microsoft.AspNet.Security.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] unprotectedData)
400 
Microsoft.AspNet.Security.DataHandler.SecureDataFormat`1.Protect(TData data)
Microsoft.AspNet.Security.Google.GoogleAuthenticationHandler.BuildChallengeUrl(AuthenticationProperties properties, String redirectUri)
Microsoft.AspNet.Security.OAuth.OAuthAuthenticationHandler`2.ApplyResponseChallenge()
Microsoft.AspNet.Security.Infrastructure.AuthenticationHandler.ApplyResponseChallengeAsync()
400 
Microsoft.AspNet.Security.Infrastructure.AuthenticationHandler.<ApplyResponseCoreAsync>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Se 400 curity.Infrastructure.AuthenticationHandler.<ApplyResponseAsync>d__57.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.Authentication 400 Handler.<TeardownAsync>d__45.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Microsoft.AspNet.Security.Infrastructure.AuthenticationHandler.<TeardownAsync>d__45.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
400 
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
400 
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
400 
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
400 
--- End of stack trace from previous location where exception was thrown ---
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.Comp 400 ilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous 400 location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
400 
Microsoft.AspNet.Diagnostics.ErrorPageMiddleware.<Invoke>d__4.MoveNext()
Variable Value 
authenticationType Google 

< 400 div id="headerspage" class="page"> Variable Value 
Accept application/json, text/plain, */* 
Accept-Encoding gzip, deflate, sdch 
Accept-Language en-US,en;q=0.8 
400  Connection keep-alive 
Cookie .AspNet.Correlation.Google=VpRqdBW-jM7ZSLM-GqS91j-s58vHN7CAotDK9IsNMYs 
Host localhost:8080 
Referer http://localhost:8080/ 
User-Agent Mozilla/5.0 (W 400 indows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 

[kscott5]

Created a module for https://support.microsoft.com/kb/2915218

Generate-MachineKeys
Provision-AutoGenKeys (modified to pull SID from WindowsIdentity.GetCurrent() instead of using UPN)

Run Generate-MachineKeys to create the machinekey xml needed for web.config.
Updated the web.config in root and wwwroot.

Not sure however why the AppData\local\ASP.NET\ folder started to appear with key. It could have been for executing the Provision-AutoGenKeys cmdlet but I had to modified this cmdlet to not use UPN.

Any ideas?

[GrabYourPitchforks]

The <machineKey> element from previous versions of ASP.NET doesn't apply to ASP.NET 5. DataProtection uses its own independent configuration mechanism. Can you elaborate further on your environment? For instance, are you seeing this in IIS Express or full IIS? If it's in full IIS, what user account (app pool identity, network service, etc.) is the application pool running under?

[GrabYourPitchforks]

BTW, to immediately unblock yourself, you can delete the contents of the %LOCALAPPDATA%\ASP.NET\ folder.

[kscott5]

A few things I know I did before it started working. I granted my id ownerhsip of my hard drive, ran the Provision-AutoGenKey, and deleted the contents of the %LocalAppData%\AspNet folder.