Wednesday, September 7, 2011

Validation of viewstate MAC failed Website on Web Farm

The machineKey value has to be the same on all machines in a webfarm.  
Validationof viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in acluster.

The status data is transferred between the client and the server always validates. This is to ensure that data is not tempered View State. Since the view state data is encrypted and decrypted, the unique key used to encrypt / decrypt data. When the application is hosted on a single machine, no problem as is always the same key for encryption and decryption. But this will not be the case of Web servers. No value for this key will be different from those servers. And this is the root cause of error. Now to solve this problem there are two options.

The first option is set to false in the EnableViewStateMac web.config. This is an attribute of the tag of the page. You also have the option of configuring the EnableViewStateMac false at the page level. The only drawback to this option is that you need to do this for all pages across the application.

In web.config
<pages enableViewStateMac="false">

</ Pages>

A page-level

<% @ Page Language = "C #" AutoEventWireup = "false" CodeFile = "Default.aspx.cs" Inherits = "_Default"
 EnableViewStateMac = "false"%>

Another option is to specify your own value for encryption and decryption key in the web.config. However, this key will be the same across servers.

Both the option to work perfectly, but it is always advisable to go with the specification of the custom key for encryption and decryption in the web.config. This is because when you set the value to false EnableViewStateMac open its application to security threats. This is because the view state validation willnot happen in this case.

<MachineKey validationKey = "<encryptionkey>" decryptionKey = "<decryptionkey>" validation = "SHA1" decryption = "Auto" />

You can also use the following code to generate key pairs for value
using System;
using System.Text;
using System.Security.Cryptography;

class MachineKeyInfo
    static void Main(string[] argv) 
        int length = 128;
        if (argv.Length > 0)
            length = int.Parse(argv[0]);
            byte[] buffer = new byte[length / 2];
            using (RNGCryptoServiceProvider rngCryServiceProvieder =                                                       new RNGCryptoServiceProvider())
            StringBuilder sb = new StringBuilder(length);
            for (int i = 0; i < buffer.Length; i++)
                sb.Append(String.Format("{0: X2}", buffer[i]));

Run the application twice, and then copy and paste the resulting keys <machineKey> element, once for validationKey and again to decryptionKey.

for more help visit 
How To: Configure MachineKey in ASP.NET 2.0
Validation of viewstate MAC failed error

The default ASP.NET settings ensure that forms authentication ticket encryption and tamper-proof, and that ViewState is tamper proof. This ensures that any modification of the ViewState or authentication tickets either on the client computer or network is detected when the server processes the data.

Provide tamper proof ViewState, a message authentication code hash (HMAC) is generated from the contents of ViewState and the hash is compared on subsequent requests. The validation attribute of <machineKey> indicates the hash algorithm to use, default is SHA1, which uses the algorithm HMACSHA1. Valid options for SHA1 or MD5 hash include, but SHA1 is preferred because it produces a larger hash
and is considered cryptographically stronger than MD5. <machineKey> ValidationKey attribute is used in conjunction with the contents of ViewState to produce the HMAC.
If your application is installed on a Web farm, you must change the validationKey of AutoGenerate, IsolateApps a specific value manually generated key.
If you need to use potentially sensitive data circuits, you can force encryption of ViewState for a specific page. By setting ViewStateEncryptionMode = "Always" in the @ Page directive for that page. If you prefer, you can use to request control ViewState of the page can be encrypted using a method call Page.RegisterRequiresViewStateEncryption. Using this method along with the default ViewStateEncryptionMode = "Auto" ensures that encrypted ViewState only for pages that need it.

To encrypt ViewState in a Web farm, you must manually configure the validationKey value. The encryption algorithm is determined by the validation attribute of <machineKey>. The default validation attribute of SHA1, which provides evidence of sabotage, but not encrypted.

To support the encryption of ViewState, you must set the validation attribute of AES, the recommended symmetric encryption algorithm.

Forms authentication tickets are tamper proof and encrypted by default. DecryptionKey attributes decryption and encryption control.
The validationKey controls the hashing. If your application is in a Web farm, you must manually configure the validationKey and decryptionKey. Also, if you need to share forms authentication tickets in the applications of different virtual directories, you must manually configure the keys to make sure they match in the Web.config file for each application.

If you use the Administration features, functions and choose the cache, a roles cookie is created. The cookie feature is also signed and encrypted by default, using the same mechanisms that forms authentication tickets.

No comments :

Post a Comment