Web application works locally but not on IIS

Question

1.00/5 (2 votes)

See more:

Hello experts,

This is kind of annoying because my web application works locally and when moved to IIS I get the below error

C#

Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

I have checked the event viewer and tried to set Load user profile to True in app pool settings and but nothing worked.

Your help is much appreciated.

Complete Stack Trace

C#

Stack trace:    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
   at Login.Page_Load(Object sender, EventArgs e) in E:\wwwroot\ClaimForm\Login.aspx.vb:line 136
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The pageload code is as below

C#

Dim ip As String = HttpContext.Current.Request.UserHostAddress
      tdError.Visible = False
      trErrorUser.Visible = False
      trErrorPass.Visible = False
      trErrorInvalidPWD.Visible = False
      trErrorDisable.Visible = False

      LoadRSAText()

      Dim crypted As String = Utilities.IsNull(Request.Form("crypted"))
      Dim user As String = Utilities.IsNull(Request.Form("txtUser"))

      ' Get # of login attempts
      Dim counter As BotIpCounter = GetBotIPCounter(ip)
      Const NUM_BAD_ATTEMPTS As Integer = 4
      If counter.Counter > NUM_BAD_ATTEMPTS Then CaptchaRequired = True

      'If IsPostBack Then Exit Sub

      If crypted <> String.Empty Then
          IncrementBotIPCounter(counter)
          If counter.Counter > NUM_BAD_ATTEMPTS + 2 AndAlso CaptchaRequired Then
              Dim rereponse As String = Utilities.IsNull(Request.Form("g-recaptcha-response"))
              'Response.Write(String.Format("<script>alert('{0}')</script>", RecaptchaCheck(ip, rechallenge, rereponse)))

              Dim success As Boolean = False
              Dim errorcode As String = String.Empty
              Try
                  '  RecaptchaCheck(ip, rereponse, success, errorcode)
              Catch ex As Exception
                  litErrorCaptcha.Text = "<li>" & ex.Message & "</li>"
                  tdError.Visible = True
                  Exit Sub
              End Try

              If Not success Then
                  litErrorCaptcha.Text = errorcode
                  tdError.Visible = True
                  Exit Sub
              End If
          End If

      End If
      Dim pass As String ' = Utilities.IsNull(Request.Form("password")).ToUpper

      If user = "" Then
          trErrorUser.Visible = True
          tdError.Visible = True
          'ElseIf pass = "" Then
          '  trErrorPass.Visible = True
          '  tdError.Visible = True
      ElseIf Not tdError.Visible Then

          Dim ds As DataSet = Nothing
          ' look for user entry for this user
          ds = dbm.dbGetLogin(user, ip)
          If ds.Tables("Table").Rows.Count = 0 Then
              ' invalid user... show invalid password instead
              trErrorInvalidPWD.Visible = True
              tdError.Visible = True
              Exit Sub
          End If
          user = ds.Tables("Table").Rows(0)("ruuser")


          'If Request.Form("crypted") IsNot Nothing Then
          'Dim rsa As RSACryptoServiceProvider = DecodeRSAPrivateKey(Convert.FromBase64String(GlobalSettings.PEMPRIVATEKEY))
          'Dim Parameters As RSAParameters = rsa.ExportParameters(False)
          'If rsa Is Nothing Then Throw New Exception("NULL RSA")
          Dim cspParams As New CspParameters
          cspParams.Flags = CspProviderFlags.UseMachineKeyStore
          Dim rsa As New RSACryptoServiceProvider(cspParams)
          rsa.FromXmlString(RSAPRIVATEKEY)
          pass = ASCIIBytesToString(rsa.Decrypt(HexStringToByteArray(crypted.ToString()), False)).ToUpper
          'Response.Write(String.Format("<script>alert('{0}')</script>", pass))
          'End If


          ' look for password entry for this user
          If Utilities.IsNull(ds.Tables("Table").Rows(0)("rnpass")) = String.Empty Then
              ' no password
              Dim newpass As String
              Try
                  Dim encrpass As String = dbnet.dbGetPassword(user)
                  If encrpass Is Nothing Then
                      trErrorInvalidPWD.Visible = True
                      tdError.Visible = True
                      Exit Sub
                  End If
                  newpass = dbnet.dbDecryptPassword(encrpass).ToUpper
              Catch ex As Exception
                  ' as400 is down
                  If Now.Hour = 21 Then
                      trErrorDaily.Visible = True
                  Else
                      trErrorServer.Visible = True
                  End If
                  tdError.Visible = True
                  Exit Sub
              End Try

              ' create a password entry
              dbm.dbCreatePassword(user, getSHA1Hash(newpass))
              ' look for user entry again
              ds = dbm.dbGetLogin(user, ip)
          End If

          Dim dr As DataRow = ds.Tables("Table").Rows(0)

          If dr("rudel") = "D" Then
              trErrorDisable.Visible = True
              tdError.Visible = True
          ElseIf dr("rnpass") <> getSHA1Hash(pass) Then
              ' wrong password
              If Session(GlobalSettings.SESSION_WRONGPASS) Is Nothing Then Session.Add(GlobalSettings.SESSION_WRONGPASS, 0)
              Session(GlobalSettings.SESSION_WRONGPASS) = Math.Min(Session(GlobalSettings.SESSION_WRONGPASS) + 1, 3)

              If Session(SESSION_WRONGPASS) >= 3 Then
                  Session(SESSION_WRONGPASS) = 0
                  If dr("rutype") = "E" Then SendDisabledEmail(user, "Disabled User - Too many wrong password attempts: " & user)
                  dbm.dbDisableUser(user, GlobalSettings.DISABLEREASON_TOOMANYBADPWS)
                  trErrorDisable.Visible = True
              End If
              trErrorInvalidPWD.Visible = True
              tdError.Visible = True
              If dr("blocked") = "T" Then
                  dbnet.StartThread_StoreWebBlocked(user, ip, "BLOCKED IP & WRONG PWD")
              End If
          ElseIf dr("blocked") = "T" Then
              dbnet.StartThread_StoreWebBlocked(user, ip, "BLOCKED IP & LOGGED IN SUCCESS")
              dbm.dbDisableUser(user, "Customer Disabled, Block IP")
              'SendBlockedEmail(user, "Disabled User - BLOCKED IP: " & user)
              trErrorBlocked.Visible = True
              tdError.Visible = True
          ElseIf Request.Browser.Type = "Unknown" Then
              dbm.dbDisableUser(user, "Screen scraping DO NOT ENABLE")
              tdError.Visible = True
          End If

          If dr("blocked") = "T" OrElse Request.Browser.Type = "Unknown" Then
              trErrorInvalidPWD.Visible = False
              trErrorDisable.Visible = False
          End If

          ' user/pass is correct and account is OK
          If tdError.Visible = False Then
              dbm.StartThread_UpdateUserLogon(user)

              KillOtherSessions(user)
              RemoveOldCache(Session.SessionID)
              CacheSession(user)
              ClearBotIP(ip)

              Session.RemoveAll()
              Session.Add(GlobalSettings.SESSION_USER, user)
              Session.Add(GlobalSettings.SESSION_USERSNAME, dr("runame"))
              Session(GlobalSettings.SESSION_LOGINURL) = "Login.aspx"
              'Manage Roles- 11232015
              If dr("rutype").ToString() = "M" Then
                  Session(GlobalSettings.SESSION_ROLE) = "ADMIN"
              ElseIf dr("rutype").ToString() = "E" Then
                  Session(GlobalSettings.SESSION_ROLE) = "END"
              Else
                  Session(GlobalSettings.SESSION_ROLE) = "USER"
              End If
              Session.Add("cookiecartloaded", False)

              ' Logging
              dbnet.StartThread_StoreWebLog(user, ip, String.Empty, 0, Request.Browser.Type)
              Response.Redirect("~/DealerLocation.aspx", True)

          End If

      Else
          Session.RemoveAll()
      End If

Posted 12-Jan-16 5:19am

sudevsu

Updated 13-Jan-16 2:20am

v2

Add a Solution

Comments

F-ES Sitecore 12-Jan-16 11:22am

What's the error message?

Dave Kreskowiak 12-Jan-16 11:32am

Without the exception message, at the very least, it's impossible to tell you anything useful. The stack trace doesn't tell us anything at all.

Richard Deeming 12-Jan-16 11:33am

Post the error message, and the code that's throwing the exception (the Page_Load method in Login.aspx.vb).

sudevsu 12-Jan-16 11:48am

I have all the unhandled exepctions redirecting me to a page called "Internal error" .

Error message in Event views shows this
Exception information:
Exception type: CryptographicException
Exception message: Bad Data.
Nothing else apart from the stack trace.
It works locally so I am not sure what is wrong

Richard Deeming 12-Jan-16 12:04pm

And the code in Page_Load is?

Don't try to post it in the comments; click "Improve question" and update your question with the missing details.

sudevsu 13-Jan-16 8:19am

Alright I am not sure why is this line causing the problem ?
As soon as I remove the below line from web.config everything worked.
"mimemap mimetype="application/octet-stream" fileextension=".ttf""

I was doing some work with Barcode and ttf images so I added that line in web.config.
I will have to look at this later next week. For now, the release is good to go.

ZurdoDev 13-Jan-16 10:35am

Please post as solution so that this is no longer in the Unanswered list.

sudevsu 13-Jan-16 11:20am

Ryan, I don't think that is actually a solution, I am going on for Leave for few days so this is kind of temporary fix for the release. So I didn't post it as solution.

ZurdoDev 13-Jan-16 11:24am

If removing something from web.config fixes it than the solution is to find out why that line causes issues in your server. Perhaps something is not installed.

Richard Deeming 13-Jan-16 9:55am

It's not clear which line of your code is line 136, but the most likely candidate would appear to be:
pass = ASCIIBytesToString(rsa.Decrypt(HexStringToByteArray(crypted.ToString()), False)).ToUpper

The value you're trying to decrypt is read from the request. It's not clear how that value was generated, but the error suggests it's not valid.

The code isn't particularly clear, but it looks like you're storing passwords using either a reversible encryption, or an un-salted SHA1 hash. You should only ever store hashed passwords, using a unique salt per record, and using a secure hash algorithm. (SHA1 is no longer considered secure.)
Salted Password Hashing - Doing it Right[^]

sudevsu 13-Jan-16 11:19am

Yeah 136 line actually the line you mentioned.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)