Padding is invalid and cannot be removed.
I’ve been hunting an elusive error message for some time now. Every now and then, one of my web applications will throw an error: “Padding is invalid and cannot be removed.” It seemed to be random, and always linked to a web resource (AXD) file. If I clicked the URL referenced in my Event Viewer message I would see the nasty Yellow Screen of Death. But how in the world was it being generated?
I added more logging to my application events, and after some Googling I found this forum post:
When an application pool is recycled and the web.config doesn’t contain a machine key configuration setting, a new unique security identifier is generated to mask information regarding your web resource files. If a request comes in after this recycle, IIS cannot decrypt it using the old security identifier and throws an error.
The solution is to generate a static machine key setting and save it in your web.config file. Since the security identifier does not change, IIS can decrypt and serve the correct resource after an application pool recycle.
This page provides a simple way to generate the key / value pair, and even shows how to use it in your web.config.