Generating Machine key's Validation key and Decryption key pair using IIS7

In ASP.NET, machine key is used to encrypt and decrypt form authentication cookies and you can use if to encrypt View state as well. For high traffic websites and keeping up time for your production website to almost 100% all the time, sometimes you may have more than one production servers hosting same application now this situation produce a very interesting scenario so let's assume that user requested a page and server 1 responded to that page with authentication cookie and now server 1 got busy serving other requests, than same user requested another page with the authentication cookie from previous request now server 1 is busy so request get redirected to server 2 but when server 2 receives the request and tries to decrypt the cookie using its own machine key (which is going to be different from Server 1 because its unique and auto generated) it will fail to decrypt it because it doesn't have the correct key with which the original cookie was encrypted. So in order to resolve this, we can make machine key for all production servers as same:

Server 1:

<machinekey validationkey="4E19A23AC3ACDE43020752E97CC4D1DC85BEE285180443B4ECF710145E94DDD3F511976399A8B43EB64B96CB1A04043DFA6CB56CEDBC72931F76C32E12EBBD44"

decryptionkey="253FBA9EC2E8FB7BC5C6E7BA144431866CBAAAE696556FEC" validation="SH1" />


Server 2:

<machinekey validationkey="4E19A23AC3ACDE43020752E97CC4D1DC85BEE285180443B4ECF710145E94DDD3F511976399A8B43EB64B96CB1A04043DFA6CB56CEDBC72931F76C32E12EBBD44"

decryptionkey="253FBA9EC2E8FB7BC5C6E7BA144431866CBAAAE696556FEC" validation="SH1" />

Note: Please note that these keys are just for demo purposes. Follow the article to see how you can generate same for your production use.

Scenario explained above is known as web farm.

This is one scenario but there are others too when you may want to set machine keys same in web config files of different application like: Web garden, single sign on for multiple applications etc.

Now the question is: How do we generate this key pair?

Answers to this one question are many like: you can generate it programmatically (using .NET's System.Security.Cryptography to generate random number and cast it as Hex digits to produce keys).

But we will solve this with a tool that is provided to almost all of us and it is IIS7. So let's explore as how to do it:

Open your control panel -> Administrative tools -> Internet Information Services Manager (as shown below)

Select Server node from connection located on left side of window:


Now double click on Machine Key Icon:

you should now see properties for Machine Key (note: we are not changing how website root is going to generate the key so we will just make changes to generate key and then cancel all the change to revert web root back to its default)

From validation key section and decryption key section uncheck all checkboxes (as shown below)

From the Action panel on right hand side, click on Generate Keys:


This will generate new key pair for validation and decryption keys under machine section.

Just copy these keys and cancel out all the changes from current window by clicking on cancel from Action panel. This will restore all defaults and checkboxes will get back to selected mode.

Tags: , , , , , ,