Adding machineKey to web config on web-farm sites

Question

We  our IT partner really  recently changed some DNS for a web farmed site we have  so that the two production server have round-robin DNS switching between them  Prior to this switch we didn t really have problems with WebResource axd files  Since the switch  when we hit the live public URL  we get an error   CryptographicException Padding is invalid and cannot be removed   When we hit the specific servers themselves  they load fine  I ve researched the issue and it seems since they re sharing assets between two servers  we need to have a consistent machineKey in the web config for each server so they can encrypt and decrypt consistently between the two  My questions are   Can I generate a machineKey via a tool on the server  or do I need to write code to do this  Do I just need to add the machineKey to the web config on each server or do you think I ll need to do anything else to make the two server work together   Both web config s currently do not have a machineKey

User · Answer

If you are using IIS 7 5 or later you can generate the machine key from IIS and save it directly to your web config  within the web farm you then just copy the new web config to each server   Open IIS manager  If you need to generate and save the MachineKey for all your applications select the server name in the left pane  in that case you will be modifying the root web config file  which is placed in the  NET framework folder   If your intention is to create MachineKey for a specific web site application then select the web site   application from the left pane  In that case you will be modifying the web config file of your application  Double-click the Machine Key icon in ASP NET settings in the middle pane  MachineKey section will be read from your configuration file and be shown in the UI  If you did not configure a specific MachineKey and it is generated automatically you will see the following options  Now you can click Generate Keys on the right pane to generate random MachineKeys  When you click Apply  all settings will be saved in the web config file   Full Details can be seen   Easiest way to generate MachineKey     Tips and tricks  ASP NET  IIS and  NET development

User · Answer

This should answer   How To  Configure MachineKey in ASP NET 2 0 - Web Farm Deployment Considerations     Web Farm Deployment Considerations      If you deploy your application in a Web farm  you must ensure that the   configuration files on each server share the same value for   validationKey and decryptionKey  which are used for hashing and   decryption respectively  This is required because you cannot guarantee   which server will handle successive requests       With manually generated key values  the  settings should   be similar to the following example    lt machineKey   validationKey  21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7                AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B          decryptionKey  ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F  validation  SHA1  decryption  AES    gt        If you want to isolate your application from other applications on the   same server  place the  in the Web config file for each   application on each server in the farm  Ensure that you use separate   key values for each application  but duplicate each application s keys   across all servers in the farm    In short  to set up the machine key refer the following link  Setting Up a Machine Key - Orchard Documentation      Setting Up the Machine Key Using IIS Manager      If you have access to the IIS management console for the server where   Orchard is installed  it is the easiest way to set-up a machine key       Start the management console and then select the web site  Open the   machine key configuration          The machine key control panel has the following settings             Uncheck  Automatically generate at runtime  for both the validation   key and the decryption key       Click  Generate Keys  under  Actions  on the right side of the panel       Click  Apply     and add the following line to the web config file in all the webservers under system web tag if it does not exist    lt machineKey       validationKey  21F0SAMPLEKEY9C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7                    AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B                 decryptionKey  ABAASAMPLEKEY56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F      validation  SHA1      decryption  AES    gt    Please make sure that you have a permanent backup of the machine keys and web config file

User · Answer

Make sure to learn from the padding oracle asp net vulnerability that just happened  you applied the patch  right       and use protected sections to encrypt the machine key and any other sensitive configuration   An alternative option is to set it in the machine level web config  so its not even in the web site folder   To generate it do it just like the linked article in David s answer

[asp.net] Adding machineKey to web.config on web-farm sites

Examples related to asp.net

Examples related to web-config

Examples related to load-balancing

Examples related to web-farm

Examples related to machinekey