Develop Reference

Viewstate timeout error

I develop mostly for desktop so, I tend to think as WebForms as a web equivalent of WinForms. Unfortunetly this is not true.
Recently I have discovered that the Viewstate have some kind of timeout.
My problem is similar as I have read in most questions, in particular here (in my case is only around 5 to 10 minutes).
Here Microsoft says that one solution for this problem is:
<asp:Page EnableViewStateMac="False" />
However as we can read further they say:
Security Note:
This attribute should never be set to false in a production Web site,
even if the application or page does not use view state.
The view state MAC helps ensure the security of other ASP.NET functions
in addition to view state.
For this reason I don't want to set EnableViewStateMac to false and I have no access to my server (is shared hosting).
My question is: can we store the Viewstate between postbacks even if our page stay idle for a long time? If yes, how?
Thank you

The viewstate is encrypted using a machine key to ensure that it is not tampered with during postback. The machine key used to encrypt the viewstate is by default auto-generated and if the time out happens then the key's decryption will fail because the machinekey will get regenerated.
The machinekey is by default available at machine level config file.
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
To fix this, you can use your own defined machine key. You can generate using online tools as well, like this or through IIS.
How to add this machinekey to web.config can be read at MSDN.
It should be placed under the system.web section, like this -
<configuration>
<system.web>
<machineKey decryptionKey="Decryption key goes here,IsolateApps"
validationKey="Validation key goes here,IsolateApps" />
</system.web>
</configuration>

Validation of viewstate MAC failed, but occurs on only 1 out of 2 webfarm servers (machine key is correct)

So I have something weird going on and i can not pin down exactly what is causing it. My asp.net project is live with session state on two production servers that are synced using the following command:
msdeploy -verb:sync -source:webserver,computername=%MACHINE%,username=Administrator,password=%PASSWORD% -dest:webserver 2<&1
The application is an asp.net 4.0 website that is run on two Server 2008 R2 web servers behind a load balanced configuration where the users are set to stick to one server once they connect. We have <MachineKey> set hardcoded with validation and decryption keys in the root site of the application and it is the same between both servers. My application is set up to forward exception events to our email system.
What is happening is that i am receiving the dreaded 'Validation of viewstate MAC failed' from the servers but even though the server load is 50/50 split the errors are coming in on a 99/1 split. So one web server is generating these errors considerably more often than the other one. This is strange considering the servers are synced and all configurations are identical.
I've done extensive searching on this problem and it seems quite difficult to find any solution that doesn't mention or do the following.
<MachineKey> is not identical between servers. (I know for a fact this is not my problem)
Setting enableViewStateMac=false or some other setting that jeopardizes the site security.
Make sure that all action tags on form inputs reference the same page they are placed on
Make sure the instance ID of the servers are the same (they are)
If the user clicks through the page before the entire page (viewstate) has been downloaded (my viewstate is set to render at the top of the page).
Issues with response.redirect and server.transfer
Now i have eliminated all except the last two as possible causes. My application has been running fine for over a year with no issues and right before these errors appeared i enabled SQL session state, migrated the project from .NET 3.5 to .NET 4.0, and set the set the server mode deployment mode to retail. I have tried recycling the application pools and performing an 'iis reset' to no avail.
Does anyone else have any suggestions as to what i can look at? Bottom line i do NOT want to fix this by opening up security holes in my site.
It appears this is happening to users right after they authenticate using forms authentication the first time they try to log in but i can not confirm this. I also have a theory that this might have to do with caching but i can't be sure on this either.
Here is the juicy bit from my web.config (i have removed some sensitive information)
<system.web>
<httpRuntime requestValidationMode="2.0"/>
<globalization culture="en-US" uiCulture="en-US" resourceProviderFactoryType="WebResourceFactory"/>
<compilation debug="true" defaultLanguage="c#" explicit="true" strict="true" targetFramework="4.0">
<assemblies>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" protection="All" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<sessionState mode="SQLServer" sqlConnectionString="connection" compressionEnabled="true" />
<pages theme="Blue" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
<machineKey validationKey="key" decryptionKey="key" decryption="3DES" validation="SHA1" />
</system.web>
EDIT:Emphasized that i'm using SQL session state with a load balancer set to prefer to route users to the server they started on.

There is an additional possibility that you have not added to your list - ViewStateUserKey.
I have seen issues with applications where the ViewStateUserKey was set to the Session ID on logon and (crucially) before any data is saved to the Session. Since ASP.NET does not persist Session IDs until one or more objects are saved to session this meant that the ID was constantly changing and the Viewstate was failing validation. Even if you have saved something to Session then the Session will be different on each server if you are using the default in-process model and not a state server or SQL session store (as you are doing). Any server specific value or value that is not readily predictable across servers used with ViewStateUserKey will of course also cause this problem.
Otherwise the most common causes of this issue I have seen is where an "Action" attribute is set on a form that is not the URL of the same page as the form (this catches out developers used to PHP or platforms that do not attempt to abstract away from HTTP), or missing Machine Key attributes in the Web.config in multi-server environments (which you seem to have covered).

Ok i appear to have fixed it, though i can not discern what exactly caused it so i will just list all the steps i performed in case someone else has this problem later on.
1 :
Installed these windows updates:
2:
My forms authentication cookie was set to persistent but my session cookie was set to the browser session. I set my forms authentication cookie to be browser session based.
3:
I copied my from the site config to the root of IIS. From all the documentation i could find it should not be necessary for me to do this because IIS should support multiple machine keys for different sites / applications.
4:
Rebooted the server.
That's it! I have not received the errors since then.

IIS 8.0 ASP.NET and Error 500.19

I can't seem to get any ASP.NET sites to run under IIS8 on Windows 8. Under IIS Express they are fine, but I've:
Installed IIS8
Installed ASP.NET 3.5 and 4.5 features in IIS
Created a valid application pool
Added a new Application in IIS manager pointing to my site
But I get:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Config Source:
-1:
0:
Any ideas?

ASP.Net applications come pre-wired with a handlers section in the web.config.
By default, this is set to readonly within feature delegation within IIS.
Take a look in IIS Manager, under the Server name → Feature delegation.
If Handler Mappings is set to readonly and your site web.configs have a handlers section, flip the value to read/write and see what happens.
Worked for me when moving to Windows 8 / IIS 8 / ASP.Net MVC 4.

Click "Start button"
in the search box, enter "Turn windows features on or off"
in the features window, Click: "Internet Information Services"
Click: "World Wide Web Services"
Click: "Application Development Features"
Check (enable) the features. I checked all but not CGI.
i'm using w10 technical preview

I had same issue, this is because the app pool doesn't have rights to the web site directory or web.config. Try to grant rights for "IIS_IUSRS" with : Read,Execute,List.

I had the same issue when moving a web application from IIS 7 to 8, and I solved it by installing the URL Rewrite module, which I had completely forgot. So check that you have the correct modules etc. installed on your new server/IIS.
You can install this module with WPI (Web Platform Installer) also.

If you have a new machine / formatted your machine, while installing IIS, make sure that you ticked installing ASP.Net (appropriate version).
Hint : Turn Windows Feature ON/OFF --> IIS --> Application Development Features --> ASP.Net 3.5 / 4.6
Recently I have upgraded to Windows 10 (IIS 10) & as I had forgot to install ASP.Net, I was facing this issue.
Other troubleshooting tips are:
2) Make sure you have given read permission to IIS_IUSRS group on
your application folder.
3) You may check if your Application Pool
has correct target .Net framework selected.
4) Make sure your
Web.config is proper (well defined XML) and has no errors. Thanks.

Look in the web.config for invalid config sections.
In the IIS manager I couldn't open any of the features such as Module etc.
In my web.config I had an invalid config section from a chart object that I used before:
<system.webServer>
<httpHandlers>
<add path="ChartImg.axd" verb="GET,HEAD,POST" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false" />
</httpHandlers>
</system.webServer>
After I removed it everything worked.

After trying all of the above, I was still stuck, so I decided to go look at the file referenced in my error message, "c:\some\path\web.config"
It was 3KB, and I renamed it to "_web.config", and the script immediately started working properly.
I assume the original created with how things were set before my myriad changes. With all the changes I did, it could now create a proper web.config.
Something to try if the above doesn't get you where you need to be, guys.

Finally sorted mine! Jesus.
I was using git hub for my project and downloading it to slightly different locations on each PC.
When I tried to unc to the config file the error mentioned I noticed it was actually the path the other pc uses. Couldn't fine this listed in the project at all so just right clicked the project file in VS and unloaded it, the loaded it again and it now works.

You probably tried this first but have you tried turning your pc off and on again? I tried all of the above first to no avail while simply doing this worked for me. Possibly one of my previous actions locked an important file in my project.

403 forbidden after publishing asp.net MVC

I know this has been answered a few times but none of the solutions worked for me. I published my ASP.NET MVC 3 application (It was just the internet template without any changes to it) to see if I could get it to work publically. However, when I visit the site it shows up with a 403 error. Coming from a php/linux background, I'm confused and have no clue where to look. I've only been learning .NET for about 8-9 months and everything I've been testing on before was on the local development server through VS2010. It almost appears like the server doesnt know it should be an MVC application or I have to change my routing.
Anyway, I checked to make sure that the server setting is .NET 4. Any help would be greatly appreciated.
ALSO, It's a shared hosting environment using arvixe.

For me this did the trick (Original Answer by Mmerrell at Getting 404.0 error for ASP.NET MVC 3 app on IIS 7.0 / Windows Server 2008 )
You actually just reminded me that I needed to fix this issue in an
enviroment here. If your situation is the same as mine then it's a
simple fix.
Just add the following to your web config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
Make sure your have choosen the "ASP.Net 4.0" App-Pool and not the App-Pool created for your application.
Make sure your App Pool uses the "ApplicationPoolIdentity" and NOT NetworkService. Remove the NetworkService permission from your root folder. You dont need it. IIS has an built-in identity (IIS_IUSRS).

403 is a forbidden error. Try checking the NTFS permissions of the folder where you deployed, ensure the Network Service user has read permission
Additionally, check the Authentication and Authorization mechanism in the IIS application:
Edited:
.Net Authorization rules

I had this same issue after publishing an MVC 4 WebSite to a remote server using FTP Publishing. What ended up working for me was after publishing through Visual Studio, log onto IIS on the remote server, locate the published directory -> right click -> Convert to Application.
Not sure if there is a way to specify this in the web.config/properties, if you don't have access to the server?

1- verify that your application is running under .NET 4.0 (you did so)
2- check with the hosting company that it supports the MVC 3 framework on their hosting plan.
3- (works) Bin-Deploy your MVC run-time libraries so you may overcome any requirements on the server.
More bout bin-deploy your ASP.NET MVC can be found here: http://haacked.com/archive/2011/05/25/bin-deploying-asp-net-mvc-3.aspx
4- check that "Network Service" has proper access rights to your folder. it basically should have "Read" permission.

Don't forget about aspnet_regiis.exe -ir.

<handlers>
<add name="rewrite" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,runtimeVersionv4.0,bitness32" />
</handlers>
Ask your hosting provider to add this handlers into webconfig

Try changing the Managed Pipeline Mode of the Application Pool to 'Classic' instead of 'Integrated'.
Whilst it may not be the final result that you're after (there can be real advantages in using Integrated mode), at least it will point you in the right direction... if it works.

Registry access for Asp.net web service in IIS 7.5

HI,
I am getting "Requested registry access is not allowed." exception when trying to read a registry key in Windows Server 2008 r2 64 bit edition.
I have added the IIS application pool to Administrator group but still getting same error.
So far the solution on web din't work for me.
Thanks.

This issue has to do with granting the necessary authorization to the user account the application runs on. To read a similar situation and a detailed response for the correct solution, as documented by Microsoft, feel free to visit this post: http://rambletech.wordpress.com/2011/10/17/requested-registry-access-is-not-allowed/
(from above, to prevent link rot)
Find key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog”
Right-click and choose “Permissions”.
Put in the desired account
also see http://support.microsoft.com/kb/842795

<system.web>
Added this line under <system.Web>
--> Commented This Line
</system.Web>
Now it's working for me in the Sharepoint 2019 Environment