machineKey - ASP.NET Application Requirement on our Web Farm

By default ASP.NET settings ensure that forms authentication tickets are tamper proof and encrypted, and that ViewState is tamper proof. This ensures that any modification of the ViewState or authentication tickets either on the client's computer or over the network is detected when the server processes the data.

If your application is installed on a web farm, you need to change the validationKey from AutoGenerate, IsolateApps to a specific manually generated key value.

MaxESP is a web farm, therefore, it is required for customers to set this key. MaximumASP will not set a common machineKey, because this would be completely unsecure because all applications would use the same key. However, this will be one of the most common issues new users will experience when using MaxESP for ASP.NET application hosting.

Here is a great article for a full overview on how this works, and ways to use the machineKey to support your applications.

There are a few ways to create your own keys, which we will list below.

Use your Controlpanel
This is the the easiest method. After creating a Shared Web Site simply click on the Generate a unique machine key link:

From here you will get a snippet of code that you will include in your web.config. Just include it within the <system.web> section and make sure to replace one that might already be in your code. We have seen some application vendors auto-populate this for you for your convenience. If you use that default key this may open you to potential vulnerability and it is always best practice to just create one unique to you.

Write the Code Yourself

The section on web farm deployment considerations in the link above contains some sample C# and VB code for generating your own machine keys.

If you have applications that run in different application domains (sites or application roots) then you might want to read the section on Sharing Authentication Tickets Across Applications. This allows you to use your own defined keys to protect your applications from other customers on the same web server as well as securely share the tickets across your own applications.

Let IIS Manager Do It For You

Use the following steps to generate the keys:
  1. Select a website or your site after you make a connection to our server farm
  2. Select the MachineKey module in the Application Development category
  3. In the right hand pane select the option Generate Keys
  4. In the right hand pane select the Apply action
  5. Navigate to the root of the website content
  6. Locate the web.config
  7. Open the file and find the section <machineKey/> which should be in the <system.web/> section

Copy this string, and make sure to include this in your application configuration file.

If you deploy your application to our webfarm, and use a provided wizard to setup the application it may use the autogenerated machinekey to set the hash value for the password. You need to set the machineKey section before setting up your application.

Article ID: 636, Created On: 6/15/2009, Modified: 8/14/2009

Feedback (0)