Root Cause Analysis for CryptographicException error

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

IIS may log CryptographicException (The data is invalid) error if a cookie is empty and corrupt. If the issue is intermittent, an immediate solution may not be needed. However, a root cause analysis can provide valuable information and prevent the issue occurring again in the future.


Here is the error message in Event Viewer:

Event code: 3005
Exception type: CryptographicException
Exception message: The data is invalid.


It’s a good idea to check application specific logs as well. In my case, the application logs showed record below.


2019-01-26 08:56:28 AM ERROR: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API. If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.


Root Cause Analysis

Considering the environment and issue story, the issue occurred possibly because of an empty or corrupt cookie. Since IIS doesn’t log the cookie information by default, It is not possible to tell which cookie it was.

Why a cookie becomes empty or corrupt? Possible reasons:

  • Network issues
  • Closing the browser before the request is prepared
  • Browser crash



Having “Load User Profile” parameter set to “False” may cause CryptographicException (The data is invalid) error.




Additionally, I would recommend checking Unprotect function which mentioned in the stack trace. This function takes 3 parameters. One of them is causing this error because of an invalid input. The parameter with the issue is most likely the first one (encryptedData). Somehow, the input that was provided to this function was not in the correct format when the issue occured. You may want to debug your source code to find out possible causes.

System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)


Future occurrences

For better troubleshooting the next time, you may want to enable extra logging features:

  • Failed Request Tracing for 302 errors
  • Cookie logging (IIS > Website > Logging > Select Fields > Cookie (cs(Cookie))



Be aware that both of these features may cause high CPU load. It’s better to monitor the resource usage for a while after enabling them.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.