I’m hosting six .NET Core 8 web apps under a single Azure Web App instance. None of the apps explicitly configure the data protection API using services.AddDataProtection(), so they all default to using C:homeASP.NETDataProtection-Keys for storing data protection keys.

I have identified the active key file in the directory by checking the activationDate and expirationDate elements. Despite this setup, all apps regularly log a System.Security.Cryptography.CryptographicException to Azure Application Insights approximately every five minutes.

System.Security.Cryptography.CryptographicException:
   at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect (Microsoft.AspNetCore.Session, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)

I have:

• Confirmed all apps access the same key file.
• Looked for file access issues or permissions problems.
• Checked Azure diagnostics for any related issues without success.

Questions:

1. How can I further diagnose the cause of this exception based on my current configuration?
2. Are there recommended changes to the configuration that might resolve these frequent exceptions?