In a Web farm, each client request can go to a different
machine on every postback. Because of this behavior, you cannot leave the validationKey
attribute set to AutoGenerate in the Machine.config file. Instead, you must set
the value of the validationKey attribute to a fixed string that is shared by
all the machines on the Web farm.
Generate Machine Key Elements for Web Farm
The <machineKey> Element configures keys to use for
encryption and decryption of forms authentication cookie data and viewstate
data, and for verification of out-of-process session state identification.
Here is an example of Configuration Structure for the
element:
Listing 1
<configuration>
<system.web>
<machineKey validationKey="AutoGenerate|value[,IsolateApps]"
decryptionKey="AutoGenerate|value[,IsolateApps]"
validation="SHA1|MD5|3DES"/>
The validationKey attribute specifies the key used for
validation of encrypted data. The validationKey is used when enableViewStateMAC
is true to create a message authentication code (MAC) to ensure that the view
state has not been tampered with. ValidationKey is also used to generate
out-of-process, application-specific session ID's to ensure that the session
state variables are isolated between sessions.
The keys created will be used for the validationKey and the decryptionKey
attributes of the <machineKey> section in the <system.web> element
in the Machine.config and the Web.config files.
Create the project
1. Start Microsoft Visual Studio .NET.
2. On the File menu, point to New and then click Project.
3. In the Project Types area, click Visual Basic Projects.
4. In the Templates area, click Console Application.
5. In the Name text box, type GenerateKey and then click OK.
Write the code to generate the keys
In this program we will pass two parameters as command line
arguments. The first argument is the number of bytes that will be used to
generate decryption key and the second argument is the number of bytes used to
generate the validation key.
The code uses a random number generator to create a random
number of bytes based on the command-line arguments. After the random bytes are
created, the bytes are formatted into a hexadecimal string that is suitable for
use in the .config files.
1.
Add a new class file named KeyCreator to your Visual Basic project.
2.
Replace the existing code in the KeyCreator.vb file with the following
code:
Listing 2
Imports System
Imports System.Text
Imports System.Security.Cryptography
Namespace Crypto
Public Class KeyCreator
Public Sub CreateMachineKey()
Dim commandLineArgs As String()
commandLineArgs = System.Environment.GetCommandLineArgs()
Dim decryptionKey As String
decryptionKey = CreateKey(System.Convert.ToInt32(commandLineArgs(1)))
Dim validationKey As String
validationKey = CreateKey(System.Convert.ToInt32(commandLineArgs(2)))
Console.WriteLine( _
"<machineKey validationKey=""{0}"" decryptionKey=""{1}"" validation=""SHA1""/>", _
validationKey, decryptionKey)
End Sub
Public Function CreateKey(ByVal numBytes As Integer) As String
Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider()
Dim buff(numBytes - 1) As Byte
rng.GetBytes(buff)
Return BytesToHexString(buff)
End Function
Public Function BytesToHexString(ByVal bytes As Byte()) As String
Dim hexString As StringBuilder = New StringBuilder(64)
Dim counter As Integer
For counter = 0 To bytes.Length - 1
hexString.Append(String.Format("{0:X2}", bytes(counter)))
Next
Return hexString.ToString()
End Function
End Class
End Namespace
3.
Open the Module1.vb file that is created by default and then add the
following code in the Main sub routine.
Listing 3
Dim MyKeyCreator As New Crypto.KeyCreator()
MyKeyCreator.CreateMachineKey()
4.
Save the application.
5.
Build the application.
Generate the hashes
Run the application from a command prompt and then pass in
two integer values that are the size of the decryption and the validation keys.
If you named the console application HashConfigVb.exe, type the following
syntax at the command prompt in the Bin directory of the application: GenerateKey.exe
24 64.
The application should return output that is similar to the
following:
Listing 4
<machineKey validationKey="08CE6B478DCE73..........E566D8AC5D1C045BA60"
decryptionKey="4252D6B2268.........67F451CE65D0F2ABE9BCD3A"
validation="SHA1"/>
Note: Because the code uses a random number generator, the
output is different each time.
Update the configuration file
1. Locate the Machine.config file.
2. Locate the <system.web> section in the
configuration file.
3. Replace the <machineKey> section with the output
from the console application. If the <machineKey> section does not exist,
create it.
4. Save the configuration file.
5. Restart IIS on all servers in the Web farm for the
Machine.config changes to take effect.