Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Encrypted content in ASP.NET is not decrypted or results in errors for a website that uses persisted Forms Authentication cookies or is deployed in a web farm
Article ID: 2431728 - View products that this article applies to.
After you apply security update MS10-070
(http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx)to servers that serve Microsoft ASP.NET websites that are deployed in a web farm, some servers or applications in the web farm may encounter one or more of the following symptoms:
The security update that bulletin MS10-070
(http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx)addresses changes the default behavior of encryption in ASP.NET. The new default behavior after the security update is installed is to perform validation in addition to encryption even if only encryption is requested. This default behavior changes the encrypted payload on servers where this update is applied. The payload may include view state and forms authentication cookies. If a web farm has only some servers on which the security update is applied, there will be a difference in encryption and decryption methods on the same payload across different servers in the web farm, and this difference in behavior results in exceptions. This behavior can also occur if forms authentication cookies that are persisted on systems before applying the security update are consumed after the security update is applied.
Also, the encryption and decryption methods are different for different service pack versions of the Microsoft .NET Framework 2.0. Therefore, having different service pack levels for the .NET Framework in a web farm environment that has the security update installed results in different encrypted payloads and a similar decryption failure.
Verify the following conditions are true on all the servers that are serving the ASP.NET content:
For more information about the ASP.NET view state, please refer to the following article:
ASP.NET View State OverviewFor more information about ASP.NET Forms Authentication, please refer to the following article:
ASP.NET Forms Authentication OverviewFor more information about ASP.NET Forms Authentication tickets and cookies, click the following article number to view the article in the Microsoft Knowledge Base:
910443For more information about ASP.NET Web Resource handler, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/910443/ )Understanding the Forms Authentication Ticket and Cookie
(http://support.microsoft.com/kb/910442/ )Working with Web Resources in ASP.NET 2.0
Article ID: 2431728 - Last Review: October 28, 2010 - Revision: 5.0