SharePoint 2013 - Machine decryption key is invalid.

Article
01/28/2013

When we browse SharePoint Central Administration we get following error

An unexpected error has occurred.

Once we successfully are able to browse the SharePoint Central Administration site we will consider the case as resolved.

Hopefully information below may help a few of us.

Open IIS manager –> Expand Sites --> Right Click on the appropriate Site and Explore

Note: In our case SharePoint Central Administration Web Application

Within the Web.config file set following

<CallStack="true"/>

Note: After Saving the changes to the web.config file we don't require an IISRESET

Browse the Central Administration Site again we see following error

Server Error in '/' Application

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Machine decryption key is invalid. It should be either "AutoGenerate", or 16 (for DES) or 48 (for 3DES and AES) Hex chars long, and may be followed by ",IsolateApps". Exception message from the underlying layer: Specified key is not a valid size for this algorithm.

Line 609: </transformers>

Line 610: </webParts>

Line 611: <machineKey validationKey="396FF381F6195D9D2CC839F84C1959B4BD39F8F319E41A3EAE8C9434EADBE52D" decryptionKey="057D241959C0054D7BCBF4B98A5494BA3E13E64CF6C5594A46C6E9D5E7B2C531" validation="HMACSHA256" />

Line 612: <sessionState mode="InProc" timeout="20" cookieless="UseCookies" />

Line 613: <roleManager>

Workaround:

Comment the following line in Web.Config file

After which we browsed the SharePoint Central Administration site and it works fine.

Root Cause:

This is because SharePoint configures MachineKey in the web.config for its sites which is HMACSHA256 requires a 256 bit key (64 hexadecimal characters, 32 bytes) , but is not explicitly setting the decryption value. Also assuming that MachineKey is not configured at a higher level (and is using the defaults).

Our issue is that our site's configuration uses the validationKey, decryptionKey, and validation value from site's web.config, instead of the decryption value from the machine.config. Since the Machine.Config's decryption value is 3DES which requires a 192 bit key (48 hexadecimal characters, 24 bytes), instead of HMACSHA256 requires a 256 bit key (64 hexadecimal characters, 32 bytes) , hence we get an error.

When then SharePoint Web Application within 2013 is getting provisioned it compiles the web.config file referring the machine.config file located under

C:\windows\Microsoft.NET\Framework64\v4.0.30319\Config

Open the Machine.Config file and search for machineKey validationKey and you would find following

Note: Often when using pre built framework web applications they have hard coded the <machineKey> validationKey and decryptionKey values. The main reason for this is to add support for web farms as the forms authentication, view state and out of process session state all use these settings for security.

Solution:

As SharePoint 2013 uses .net framework 4.0 navigate to C:\windows\Microsoft.NET\Framework64\v4.0.30319\Config and comment the following line

<!-- <machineKey validationKey="C3FB30BE3696CC2C8ECD85B44D172442AADE8B86254025E54F1E66F16976D3A719CFE19A6E4F35901C1DFE2C72A4E69B4ECD17E2C44FEF0ACFAFD4BA6EB43D25" decryptionKey="AC7A658BD7D6C00045D9C48D8C13FBB40F2DE1941117E04E" validation="SHA1" decryption="3DES"/> –>

To update Root Web.Config file

Open IIS manager --> Select ServerName in Features views --> Click on Machine Key and set following (The Default Setting)

SharePoint 2013 - Machine decryption key is invalid.

Additional resources