63

We (our IT partner really) recently changed some DNS for a web farmed site we have, so that the two production server have round-robin DNS switching between them. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:

CryptographicException

Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

  1. Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
  2. Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)
Community
  • 1
  • 1
Mark Ursino
  • 31,209
  • 11
  • 51
  • 83

3 Answers3

79

This should answer:

How To: Configure MachineKey in ASP.NET 2.0 - Web Farm Deployment Considerations

Web Farm Deployment Considerations

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

With manually generated key values, the settings should be similar to the following example.

<machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"       

decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

If you want to isolate your application from other applications on the same server, place the in the Web.config file for each application on each server in the farm. Ensure that you use separate key values for each application, but duplicate each application's keys across all servers in the farm.

In short, to set up the machine key refer the following link: Setting Up a Machine Key - Orchard Documentation.

Setting Up the Machine Key Using IIS Manager

If you have access to the IIS management console for the server where Orchard is installed, it is the easiest way to set-up a machine key.

Start the management console and then select the web site. Open the machine key configuration: The IIS web site configuration panel

The machine key control panel has the following settings:

The machine key configuration panel

Uncheck "Automatically generate at runtime" for both the validation key and the decryption key.

Click "Generate Keys" under "Actions" on the right side of the panel.

Click "Apply".

and add the following line to the web.config file in all the webservers under system.web tag if it does not exist.

<machineKey  
    validationKey="21F0SAMPLEKEY9C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
                   AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
    decryptionKey="ABAASAMPLEKEY56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
    validation="SHA1"
    decryption="AES"
/>

Please make sure that you have a permanent backup of the machine keys and web.config file

BlackICE
  • 8,816
  • 3
  • 53
  • 91
  • 2
    If it doesn't work, please remove `validation="SHA1" decryption="AES"` from the above line of code, then it works fine. – John Jul 26 '17 at 09:34
  • do you know how to setup the same for Azure Web App? We would like to have ASP.Net MVC application with High Availability Disaster Recovery (HADR). For the Azure setup, we cannot generate the Machine Key from IIS instead we use the blog [link](https://codewithshadman.com/machine-key-generator/). But we are getting Internal Server Error (500) – Mihir Shah Aug 13 '20 at 14:29
  • @BlackICE, I forgot the mentioned your name in above comments. Do you know how to setup the same for MS Azure Web App? – Mihir Shah Aug 14 '20 at 05:51
  • For anyone else struggling to find the default location of the machineKey section when it's not yet configured in the web.config, that is `%SystemRoot%\Microsoft.NET\Framework\%VersionNumber%\CONFIG\web.config.comments` – Cristian Rusanu Nov 17 '20 at 10:24
  • add in machine.config ? – Kiquenet Jan 21 '21 at 13:23
  • 2
    SHA1 seems to be legacy. AS of 2021-08-28, the documentation from MS suggests HMACSHA256 instead, or one of the other alternatives... https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.machinekeyvalidation?view=netframework-4.8 – Allen Aug 28 '21 at 14:18
21

If you are using IIS 7.5 or later you can generate the machine key from IIS and save it directly to your web.config, within the web farm you then just copy the new web.config to each server.

  1. Open IIS manager.
  2. If you need to generate and save the MachineKey for all your applications select the server name in the left pane, in that case you will be modifying the root web.config file (which is placed in the .NET framework folder). If your intention is to create MachineKey for a specific web site/application then select the web site / application from the left pane. In that case you will be modifying the web.config file of your application.
  3. Double-click the Machine Key icon in ASP.NET settings in the middle pane:
  4. MachineKey section will be read from your configuration file and be shown in the UI. If you did not configure a specific MachineKey and it is generated automatically you will see the following options:
  5. Now you can click Generate Keys on the right pane to generate random MachineKeys. When you click Apply, all settings will be saved in the web.config file.

Full Details can be seen @ Easiest way to generate MachineKey – Tips and tricks: ASP.NET, IIS and .NET development…

BlackICE
  • 8,816
  • 3
  • 53
  • 91
TheAlbear
  • 5,507
  • 8
  • 51
  • 84
  • http://blogs.msdn.com/b/amb/archive/2012/07/31/easiest-way-to-generate-machinekey.aspx not found – Kiquenet Jan 21 '21 at 13:24
  • this should be similar, who knows how long this link will last. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731979(v=ws.10) – BlackICE Jan 25 '21 at 18:34
8

Make sure to learn from the padding oracle asp.net vulnerability that just happened (you applied the patch, right? ...) and use protected sections to encrypt the machine key and any other sensitive configuration.

An alternative option is to set it in the machine level web.config, so its not even in the web site folder.

To generate it do it just like the linked article in David's answer.

eglasius
  • 35,831
  • 5
  • 65
  • 110