It's been a while that I'm getting "Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster." error on GridView post-backs.
I've defined the same machine-keys on my sites but I (sometimes) get the message.
Any clue?
Add this to your web.config file in the system.web section:
<machinekey validationkey="xxx" decryptionkey="xxx" validation="SHA1" decryption="AES" />
Provide your own validation and decryption keys ("xxx" above),
which you can try to generated from here
Please do refer this microsoft kb
Related
On one computer I have 2 projects - a client application and another that holds the identity server and identity manager. When I run the client site on this computer everything works. I am able to sign in, register etc. This project was already set up and working.
I made a copy of the projects and put them on another computer. I have set the sites up in IIS and created a self signed certificate.
When I run the client site and attempt to sign in I get the yellow asp.net error page with the message "The remote certificate is invalid according to the validation procedure". When stepping through with the debugger I also see: "The underlying connection was closed: could not establish trust relationship for the ssl/tls secure channel"
I figure the errors have to do with the certificate so in MMC I made sure that the certificates are installed in the trusted root certification authorties folder.
The other thing I did was check the web.config files in the projects.
In the client site I have something like:
<oidcClient clientId="codeclienthere"
clientSecret="secrethere"
signingCertificate="keythatmatches_certificate_hash_here"
issuerName="https://identityurlhere/issuer"
...
Then in the identity server and identity manager web.config files I have something like:
<appSettings>
<add key="owin:AppStartup" value="startup" />
<add key="Issuer" value="identity_url_here/issuer" />
<add key="Thumbprint" value="keythatmatches_certificate_hash" />
<add key="WebClientId" value="codeclienthere"/>
<add key="WebClientSecret" value="secrethere"/>
...
I changed the signing certificate and thumbprint values to match the certificate hash. For the attribute "issuerName" and key "Issuer" I tried leaving it the same, setting it the name of the certificate and prepending "CN=" to the name of the certificate. I am unsure what value should go here. I am also unsure what other things I should check.
The problem here was that there were hidden characters in the thumbprint that I did not notice. I had pasted in a text editor to compare or something and they got removed so when I pasted them back in the config file they did not match as needed.
I currently have an intermittent issue where users receive the error message in the title of this post:
System.Web.UI.ViewStateException
Invalid viewstate. Client IP: 127.0.0.1 Port: xxx Referer: xxx
I've finally managed to replicate this in our Development environment and it appears to be related to posting a form back after a period of 20 minutes of inactivity.
I initially thought it was the session timing out causing the problem but apparently not.
I found the following post:
Viewstate timeout error
This suggests that ViewState encryption keys have a finite lifetime and by default are set at server level to:
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
The strange thing is that this doesn't happen for all users concurrently so it's not the app pool recycling.
Does anyone know if a key is generated per user session?
I have managed to fix this error my adding a static machine key config as suggested
<machineKey validationKey="9664D19D67A5EE43FE77CD2B660A57DF254B15714935DDDDAAC94BC66C5C398F894380AD56572C8762A1AB116B9070C7ACC7F32B489D23476CEA909448831AF3"
decryptionKey="CAD9BBC02543433C50CD4A11EA706F0F25FCD51F28E9DEAF20361F0AA2AB3793"
validation="SHA1"
decryption="AES"
/>
Is this a safe thing to do in a production environment? Wanted to double check as the application has been running for around 10 years and is a global change I'm reluctant to make without knowing the pros and cons.
Thanks in advance.
This is suggested for web farms so I see no reason why it would be a problem for a single instance of a web app.
Error at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext
context) at System.Web.HttpApplication.CallHandlerExecutionStep.
System.Web.HttpApplication.IExecutionStep.Execute() at
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)
I am getting the above error from a production server.
We have six production servers and we get the above error from three production servers only.
Remaining three are working fine.
We have following setting for machinKey in all six servers. Path :
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config.comments
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config.comments
OLD Setting:
< machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1"
decryption="Auto"
compatibilityMode="Framework20SP1" / >
CHANGED TO SPECIFIC KEY
< machineKey validationKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
decryptionKey="XXXXXXXXXXXXXXXXXXXXXXXX"
validation="SHA1"
decryption="AES"
compatibilityMode="Framework20SP1" />
but getting same exception.
Can any one please tell me what could be the exact problem?
This can be caused by search engines crawling through your pages. Sometimes they hit the ScriptResource.axd file and generate the error you are seeing.
If you can log the IPs that are causing this error, look them up and see where/who they are.
Of course, if you are only getting this from 3 of 6 servers in your web farm, something else could be wrong.
Where do I find the machineKey config section for ASP.NET?
I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.
Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)
Having read this: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
i was expecting to find something like this, somewhere:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>
Edit: the 1.1 docs seem fairly clear wrt default values: http://msdn.microsoft.com/en-us/library/w8h3skw9(VS.71).aspx but the 4 docs are rather ambiguous http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
machineKey is situated under System.web entry in web.config
Refer MSDN link for web.config Schema.
If you dont see it in your web.config, you can just add it there.
From MSDN again :-)
To provide tamper proof ViewState, a hashed message authentication code (HMAC) is generated from the ViewState content and the hash is compared on subsequent requests. The validation attribute of the indicates which hashing algorithm to use, and it defaults to SHA1, which uses the HMACSHA1 algorithm. Valid choices for hashing include SHA1 or MD5, although SHA1 is preferable because it produces a larger hash and is considered cryptographically stronger than MD5. The validationKey attribute of is used in conjunction with the ViewState content to produce the HMAC. If your application is installed in a Web farm, you need to change the validationKey from AutoGenerate,IsolateApps to a specific manually generated key value.
The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file.
For machineKey, they are
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
EDIT :
For .NET 4.0 the default algorithm has been changed to SHA256
I think that the easiest way of finding the defaults is to see the entry in the MSDN for this config value.
MSDN 4.0 for machinekey is as below. The values selected are the default values.
The values in [] are the other optional values that the field can take.
I remember reading someplace this is the typical way in MSDN of denoting defaults for the config values.
<machineKey
validationKey="AutoGenerate,IsolateApps" [String]
decryptionKey="AutoGenerate,IsolateApps" [String]
validation="HMACSHA256" [SHA1 | MD5 | 3DES | AES | HMACSHA256 |
HMACSHA384 | HMACSHA512 | alg:algorithm_name]
decryption="Auto" [Auto | DES | 3DES | AES | alg:algorithm_name]
/>
Why is it that I see the same hash value generated when I use different algorithms for viewstate encryption.
I have added below lines to the web.config file
pages viewstateEncryptionMode="Always" enableViewStateMac="true".../>
machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />
Also, compilation debug="false" ... > is set.
No matter what I use (AES, MD5, SHA1, 3DES), it generates the same hash. Is there something I am missing out.
Please let me know.
-Thanks
Here is an article on Encrypting Viewstate. It's for ASP.Net 2.0. which should be fine for 3.5.
Via P&P on MSDN:
Forms authentication defaults to SHA1
for tamper proofing (if or
,
then forms authentication hashes the
forms authentication ticket by using
either MD5 or HMACSHA1 (HMACSHA1 is
used even if validation is set to AES
or 3DES). Forms authentication then
encrypts the ticket using the
algorithm specified in the decryption
attribute. (The decryption attribute
was introduced in ASP.NET 2.0.)
Therefore, theoretically, only SHA1 and MD5 should differ in the hash that is produced.