## FormsAuthentication.Decrypt 在执行加密操作时出错（CryptographicException）

<configuration>
<system.web>
<machineKey
validationKey="4BD24FACB40328C908CB83BD95FCB80C6DBBDAED3914A1CB2B5938601187142F2BD89C211F5F2CDD70D26A7BDB5E939576EB12A3297645F6BE099D3192258409"
decryptionKey="A68B71A88B6939904765DA47B086803F1777D2C6E3DB899DF7A67AC518C3258A"
validation="SHA1"
decryption="AES" />
</system.web>
</configuration>


<machineKey> 总共有4个属性：

Attribute Description
decryption An algorithm which performs encryption and decryption using a symmetric key.
decryptionKey A hex string specifying the key used by instances of the decryption algorithm.
validation An algorithm which generates a message authentication code over some payload.
validationKey A hex string specifying the key used by instances of the validation algorithm.

key-format = (hex-string | ("AutoGenerate" [",IsolateApps"] [",IsolateByAppId"]))

• solateApps – The runtime uses the value of HttpRuntime.AppDomainAppVirtualPath to transform the auto-generated key. If multiple applications are hosted on the same port in IIS, the virtual path is sufficient to differentiate them.
• IsolateByAppId – The runtime uses the value of HttpRuntime.AppDomainAppId to transform the auto-generated key. If two distinct applications share a virtual path (perhaps because those applications are running on different ports), this flag can be used to further distinguish them from one another. The IsolateByAppId flag is understood only by the ASP.NET 4.5, but it can be used regardless of the compatibilityMode setting (which will be introduced in tomorrow’s post).

decryptionKeyvalidationKey 设置为如下3种格式时，均会在重启站点后解密失败，只有设置成固定的 hex-string 才OK。

• validationKey=”AutoGenerate” decryptionKey=”AutoGenerate”
• validationKey=”AutoGenerate,IsolateApps” decryptionKey=”AutoGenerate,IsolateApps”
• validationKey=”AutoGenerate,IsolateByAppId” decryptionKey=”AutoGenerate,IsolateByAppId”