This article explains a couple of ways to fix an issue where after deployment, your Azure App Service suddenly starts throwing an error along the lines of “Error occurred during a cryptographic operation.
at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors”.
The error or the StackTrace doesn’t point to anything helpful (understandably, it’ll point to a StartUp.cs or similar file configuring your application’s startup, and likely to a line with some cryptography-related operation).
Background
What a weird world we live in. It’s 2024 (well, 2023 when I originally wrote this article) and I’m occasionally investigating .NET Framework (not .NET Core or .NET) stuff on Azure App Service.
And also, it still doesn’t “just work” 😁 But I guess very few technologies do, right?
Anyway. What was the error?
Problem
I started getting this error after deploying a new (well, “new” as in one built on .NET Framework 4.8, and deployed to an Azure App Service where it was never deployed before).
The whole application would fail to start, throwing an exception on startup.
Exception information: Exception type: CryptographicException Exception message: Error occurred during a cryptographic operation. at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors
The whole StackTrace will point to your startup (one way or another), for example:
[CryptographicException: Error occurred during a cryptographic operation.]
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input) +115
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Unprotect(Byte[] protectedData) +70
System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket) +9778338
Contoso.App.Application_PostAuthenticateRequest(Object sender, EventArgs e) in C:\code\Contoso\Contoso\Global.asax.cs:32
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +141
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +48
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +71
Okay then. How do we solve this?
Solution
A couple of possible solutions to the issue.
1. Clear your cookies and cache for the current site
The first thing that could be wrong is some weird session or cookie validation issue. Here’s a simple guide on how to remove the cookies for a particular website (as your problem will be scoped to your Azure App Service) in most web browsers:
Google Chrome
- Click the lock icon or ‘not secure’ label to the left of the website address in the address bar.
- In the dropdown menu, click on Cookies.
- You’ll see a list of cookies associated with the site. Select any item and choose Remove to delete these cookies individually, or use Remove All for a complete cleanup.
- Once finished, refresh the page to reload the site without the old cookies and cache.
Mozilla Firefox
- While on the site, click on the lock icon in the address bar.
- Select Clear cookies and site data from the dropdown menu that appears.
- A confirmation dialog will appear, showing the data that will be deleted. Press Remove to proceed.
- Refresh your browser to see the effects immediately.
Microsoft Edge
- Navigate to the site where you want to clear data, click the lock icon or ‘not secure’ to the left of the URL.
- Choose Cookies from the menu to see the cookies and cache stored by the site.
- Click on Remove all to delete all site data or select specific items to delete.
- After clearing, ensure to refresh the page to apply changes.
Safari (on Mac)
- While on the desired site, click on Safari in the menu bar, then select Preferences.
- Head over to the Privacy tab and then click on Manage Website Data.
- Search for the website you are currently on, select it, and click Remove.
- Finish by refreshing the webpage to complete the cleanup.
After refreshing the page, the issue should be gone. If not, it’s time to dig into the package you uploaded!
2. Make sure you have a valid web.config file with meaningful property values
This turned out to be one of the issues I had – the package I had already had a web.config file that had a lot of environment variables that were then meant to be overridden by the variables from the App Service.
This is fine, as long as you remember to check that you’re overwriting all the values that you need to overwrite, but not overwriting things you were not supposed to.
Anyway – as long as you have a valid web.config file with the right appSettings, you’re at least halfway there. But which appSettings should you take a close look for?
MachineKey is a big one. You might, or might not, need a MachineKey entry in your web.config under <system.web />. Depends on your configuration and whether you’re running a single app service or doing something more interesting. By default, Azure is supposed to add one for you if you don’t specify one. If you don’t have one, add one. If you already have one, remove it. I had one in my local web.config file but needed to remove it in Azure 😅
3. Verify you have a certificate with a matching configuration
So this one was what I ran into. Not the exception I would have expected in this case, but what can you do…
I had configured the certificate that my code in the app service needed, but I hadn’t added one.
So here’s what I needed to do (and perhaps you too):
1. Upload your certificate (I uploaded a .pfx) and copy the Thumbprint
2. Add your certificate to be loaded in the app service startup
Make sure the certificate’s Thumbprint is listed in the WEBSITE_LOAD_CERTIFICATES environment variable / app setting (either under Settings > Environment variables or web.config’s <appSettings />).
… and remember to somehow handle loading this certificate in your code!
After fixing the web.config and making sure we loaded the right certificate(s), the site started working. Hope it does for you too! 😄
References
- M365 Copilot claiming “You have turned off web search in the work mode”? Easy fix! - November 19, 2024
- “Performing cleanup” – Excel is stuck with an old, conflicted file and will never recover. - November 12, 2024
- How to add multiple app URIs for your Entra app registration? - November 5, 2024