5

By default, the machine key setting is auto generate and per application (AutoGenerate,IsolateApps). MSDN states that the decryption key and validation key is based on web application id. I am hosting two ASP.NET MVC 2 sites on my IIS 7 server but found out that the machine key are the same. I verified this by using reflection to see the ValidationKeyInternal and DecryptionKeyInternal property. I also tested it by generating an anti forgery token cookie on one site and pass it to the other and the cookie can be read.

After trial and error, I found the key will change if the application pool identity changes. The two sites have the same keys because they are running under network service credential. Once I change the application pool identity of one site, they begin to have different validation/encryption keys.

However, after I deploy the two sites to another server, I always get the same machine keys even after changing application pool identity. The two servers have the same hardware and software configuration.

I would like to know if there is reference for the actual logic of how the machine key is generated under AutoGenerate,IsolateApps setting. On the web, there are a lot of articles talking about setting the same machine key in a web farm scenario. But I encountered a problem on the opposite side. The per web application auto key generation does not seem to work properly. Is there anyone who has the same problem before?

intangible02
  • 993
  • 1
  • 9
  • 19
  • What you're describing is atypical. In my experience it has worked as advertised. I have 2 apps running in the same app pool sharing forms auth tickets. Unless I set the machinkey to be the same, they can't share the tickets. – Simon Halsey Jul 21 '11 at 10:09
  • I never thought this won't work until I encounter the problem. The pain is I need to find an explanation for what happened on the two servers. – intangible02 Jul 22 '11 at 01:57

1 Answers1

0

Do you have a web.config setting that may be overriding the IIS setting? That could be a factor in this as if you are telling the servers to use specific keys then they may do just that.

JB King
  • 11,860
  • 4
  • 38
  • 49
  • If I use IIS management console to change the settings, the change is persisted in web.config. They are consistent. It also means what I see in the IIS management console is based on the consolidated results from the config file hieharchy. By the way, I did the test by hosting the project in both IIS and Visual Studio development web server. – intangible02 Sep 02 '11 at 06:20