locked
Key not valid for use in specified state RRS feed

  • Question

  • We have a CRM deployment with 2 CRM frontend servers, and using internet facing deployment with a custom STS. Users encounter the below error "sometimes" while browsing the organization. Please note that this error occurs randomly and rarely and we cannot reliably reproduce the error. 

    An error has occured.

    Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.

    We checked Windows Event Logs and found several errors related to WIF below. This error occurs on both servers. We tried modifying the client's hosts file to point to the IP of each server separately and changing the hosts file while logged in to point to other server, no error occurred. So it doesn't seem like this error is related to server affinity from the load balancer. The error we find in the logs look like the following (Note: I changed some names related to our setup, but all error relevant info is there)

    Log Name:      Application
    Source:        ASP.NET 4.0.30319.0
    Date:          2/22/2012 7:06:37 PM
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      CRMWEB1.mydomain.local
    Description:
    Event code: 3005 
    Event message: An unhandled exception has occurred. 
    Event time: 2/22/2012 7:06:37 PM 
    Event time (UTC): 2/22/2012 5:06:37 PM 
    Event ID: b45a460875514302a2586aef36183cc4 
    Event sequence: 3253 
    Event occurrence: 10 
    Event detail code: 0 
     
    Application information: 
        Application domain: /LM/W3SVC/1/ROOT-1-185443548789540333 
        Trust level: Full 
        Application Virtual Path: / 
        Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\ 
        Machine name: CRMWEB1
     
    Process information: 
        Process ID: 8554 
        Process name: w3wp.exe 
        Account name: MYDOMAIN\CRMAppService 
     
    Exception information: 
        Exception type: CryptographicException 
        Exception message: Key not valid for use in specified state.


       at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)




     
    Request information: 
        Request URL: https://myorganization.crm.mydomain.local:443/tools/Admin/admin.aspx?pagemode=iframe 
        Request path: /tools/Admin/admin.aspx 
        User host address: x.x.x.x 
        User:  
        Is authenticated: False 
        Authentication Type:  
        Thread account name: MYDOMAIN\CRMAppService 
     
    Thread information: 
        Thread ID: 23 
        Thread account name: MYDOMAIN\CRMAppService 
        Is impersonating: False 
        Stack trace:    at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)


     
    Custom event details: 


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="ASP.NET 4.0.30319.0" />
        <EventID Qualifiers="32768">1309</EventID>
        <Level>3</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-02-22T17:06:37.000000000Z" />
        <EventRecordID>2292728</EventRecordID>
        <Channel>Application</Channel>
        <Computer>CRMWEB1.mydomain.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>3005</Data>
        <Data>An unhandled exception has occurred.</Data>
        <Data>2/22/2012 7:06:37 PM</Data>
        <Data>2/22/2012 5:06:37 PM</Data>
        <Data>b45a460875514302a2586aef36183cc4</Data>
        <Data>3253</Data>
        <Data>10</Data>
        <Data>0</Data>
        <Data>/LM/W3SVC/1/ROOT-1-185443548789540333</Data>
        <Data>Full</Data>
        <Data>/</Data>
        <Data>C:\Program Files\Microsoft Dynamics CRM\CRMWeb\</Data>
        <Data>CRMWEB1</Data>
        <Data>
        </Data>
        <Data>8554</Data>
        <Data>w3wp.exe</Data>
        <Data>MYDOMAIN\CRMAppService</Data>
        <Data>CryptographicException</Data>
        <Data>Key not valid for use in specified state.


       at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)


    </Data>
        <Data>https://myorganization.crm.mydomain.local:443/tools/Admin/admin.aspx?pagemode=iframe</Data>
        <Data>/tools/Admin/admin.aspx</Data>
        <Data>x.x.x.x</Data>
        <Data>
        </Data>
        <Data>False</Data>
        <Data>
        </Data>
        <Data>MYDOMAIN\CRMAppService</Data>
        <Data>23</Data>
        <Data>MYDOMAIN\CRMAppService</Data>
        <Data>False</Data>
        <Data>   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)
    </Data>
      </EventData>
    </Event>


    Wednesday, February 22, 2012 7:27 PM

Answers

  • It turned out to be a network load balancing problem.

    Solution to this problem is to Check "The deployment uses an NLB" and this is how:

    1- Open "Microsoft Dynamics CRM Deployment Manager"
    2- In the console right click on the root node named "Microsoft Dynamics CRM" and click "Properties"
    3- Select the Second Tab called "Web Address"
    4- Click the Advanced Button in the bottom
    5- Make sure that the "The deployment uses an NLB" checkbox is checked.
    6- Click "OK" then "Apply"
    7- IIS reset both servers

    Having this flag set to true will cause CRM to configure WIF (Windows Identity Framework) to use the Claims Authentication Encryption Certificate to encrypt/decrypt and sign the CRM session authentication cookie. Otherwise the certificate will be used only to decrypt the token returned from the STS and each server would use a different key for encrypting the cookie. Which is why I was getting an error when a client authenticated on one server accessed the second server.

    Monday, February 27, 2012 12:57 PM

All replies

  • It turned out to be a network load balancing problem.

    Solution to this problem is to Check "The deployment uses an NLB" and this is how:

    1- Open "Microsoft Dynamics CRM Deployment Manager"
    2- In the console right click on the root node named "Microsoft Dynamics CRM" and click "Properties"
    3- Select the Second Tab called "Web Address"
    4- Click the Advanced Button in the bottom
    5- Make sure that the "The deployment uses an NLB" checkbox is checked.
    6- Click "OK" then "Apply"
    7- IIS reset both servers

    Having this flag set to true will cause CRM to configure WIF (Windows Identity Framework) to use the Claims Authentication Encryption Certificate to encrypt/decrypt and sign the CRM session authentication cookie. Otherwise the certificate will be used only to decrypt the token returned from the STS and each server would use a different key for encrypting the cookie. Which is why I was getting an error when a client authenticated on one server accessed the second server.

    Monday, February 27, 2012 12:57 PM
  • I have this exact error as well, intermittently, but our support portal is hosted on Azure. What settings can you do for that environment when you don't control IIS? Also, our CRM is CRM 2011 Online so we again don't have access to all these advanced settings. It seems that if a provider is going to offer these SaaS services then these things should be configured...

    Monday, July 2, 2012 1:44 PM