DevolutionsCryptoException - NativeError : Invalid Signature

Hello Markus,

Could you please expand the error message and post the detailed information you get for it?

Best regards,

Hi Erica,
there is nothing I can show you.

It's what our syslog-server gets and I compared it to the server-log in DPS-console and it shows the exact same information.
But the syslog you have to read from downside up, because every log-line gets presented as a syslog-entry ;-)

Hi Markus,

Could you please verify the version of the DevolutionsCrypto-x64.dll file located in the Bin folder of the DPS web application folder? Do you have version 0.5.2.0?



Best regards,

Hi Erica,

I checked both frontend-servers and i have:

Devolutions.Crypto.dll 0.5.2.0
DevolutionsCrypto-x64.dll 0.5.2.0
DevolutionsCrypto-x86.dll 0.5.2.0

Hello,

Thank you for the information. Let me check with the engineering team. I will get back to you once I will get some answers about it.

Thank you for your patience.

Best regards,

Hello,

Those exception messages are displayed when DPS tries to decrypt data that is either not encrypted or encrypted with something else than the Devolutions.Crypto module.

This doesn't affect your data and the information is available without any problem.

You can disable the Log Debug Information option in Administration - Password Server Settings - Logging to not send these messages to your syslog server. But this will also stop sending any debug messages to your syslog.
https://helpserver.devolutions.net/webinterface_logging.html

Best regards,

Hi,

disabling debug messages to syslog is no option for us.

does any data corruption or data loss is possible with this kind of message?

Hello,

No data corruption or data loss following those messages.

Is the information in the Data column encrypted in the Connections table or you can still see XML information? This could be another reason why you get these messages.

Best regards,

Hi Erica,

thank you for your hint.

situation looks like this:

normally all entries should show <?xml version....
but i have entries that show only encrypted data starting with DQw.......
these entries seem all to be edited by one user and if i open them and edit them they get "normal" again.

i don't understand how that was possible.
do i have to edit every affected entry manually?

Hello,

Thank you for the information.

It seems that for this user, the Encryption at REST is applied. Is he using the same RDM version as yours or is he using the DPS web interface?

To encrypt all you data in DPS, you can regenerate the encryption keys. We strongly recommend to backup the SQL database before encrypting the data.
https://helpserver.devolutions.net/management_encryptionkeys.html

Is your DPS instance deployed in a load balancing configuration (2 or more DPS instances connected on the same SQL database)?

Best regards,

Hi Erica,

yes, it's my second domain user, so the same versions as i do.
I don't know where to activate/deactivate encryption at REST?

we are using DPS in LB-mode with 2 frontend-instances connected to the same sql-server.

Hi Markus,

To enable the encryption at REST, you will have to regenerate the encryption keys to encrypt the data in the database.
https://helpserver.devolutions.net/management_encryptionkeys.html

As you have 2 DPS instances connected on the same SQL database, it will be important that once you will regenerate the encryption keys on the first instance, to transfer the EncryptionKeys.bin file on the second node to import them. Again, be sure to have a valid database backup before encrypting the data.

Best regards,

Hi Erica,

thank you.
I'll try to regenerate the encryption keys and get back to you by this thread for news.

Hi Markus,

Thank you for your feedback and let me know if you need assistance for regenerating the encryption keys!

Best regards,

Hi Erica,

I did regenerate the encryption keys and everything looks fine, I'm still able to access all entries.

I received another message, but I cannot weight the relevance:

The following error was received by ME
at 22.09.2020 19:03:22

Error:

CryptographicException - The parameter is incorrect. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32
hr) at
System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle
pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP,
ObjectHandleOnStack ohRetDecryptedKey) at
System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb,
Boolean fOAEP) at Devolutions.Server.ServerManager.RsaDecryptSessionKey(String
safeSessionKey)
Source:

mscorlib

and this one is new too, but I think not encryption releated:

SqlException - The UPDATE statement conflicted with the FOREIGN KEY constraint "FK_DomainUsers_UserID". The conflict occurred in database "RDMSDB", table "dbo.UserAccount", column 'ID'.
The statement has been terminated.

at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at Devolutions.Server.DatabaseManager.ExecuteNonQuery(String sql, IEnumerable`1 parameters, CommandType commandType)
at Devolutions.Server.Managers.ADSync.DomainCacheDbManager.c942e4500a4073bc24a82f7ad123860a1(DomainUserInfo cd7615d3e848c79ea11acccb66301ec3e)

Hi Markus,

Indeed, this other message isn't related to the encryption but the Domain Users and Roles cache. Could you please try to reset it to see if this error message will come up again? Please reset the Domain in Administration - Reset Server Cache on the DPS web UI.
https://helpserver.devolutions.net/webinterface_resetcache.html

About the CryptographicException - The parameter is incorrect error message, I will ask an engineer and will get back to you soon.

Best regards,

thx Erica,

reset of cache helped to get rid of this one message.

will wait for your update on the cryptographicexception...

Hello,

Allow me to jump in. Is the CryptographicException a recurring message?

The engineering team confirmed that this has nothing to do with the encryption at rest, but rather between the client (RDM or DPS WebUI) and the DPS web Application.
If it's not recurring, an error could have occurred once and we can't hardly investigate on this.

If it is recurring, we'll have to look deeper, and with your help we'll be able to identify what triggers this...

Thanks for letting me know!

Best regards,

Hi Alexandre,

i watched it for several days and CryptographicExceptions are now really rare after resetting server caches and reboot.

especially the mentioned CryptoException did not occour anymore.

Thank you for your assistance.

Hello!

You're welcome, glad we could help!

Best regards,