Home/ Questions/Q 1928718
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T07:00:49+00:00

We (our IT partner really) recently changed some DNS for a web farmed site

  • 0

We (our IT partner really) recently changed some DNS for a web farmed site we have, so that the two production server have round-robin DNS switching between them. Prior to this switch we didn’t really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:

CryptographicException

Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I’ve researched the issue and it seems since they’re sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

  1. Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
  2. Do I just need to add the machineKey to the web.config on each server or do you think I’ll need to do anything else to make the two server work together? (Both web.config‘s currently do not have a machineKey)
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This should answer:

    How To: Configure MachineKey in ASP.NET 2.0 – Web Farm Deployment Considerations

    Web Farm Deployment Considerations

    If you deploy your application in a Web farm, you must ensure that the
    configuration files on each server share the same value for
    validationKey and decryptionKey, which are used for hashing and
    decryption respectively. This is required because you cannot guarantee
    which server will handle successive requests.

    With manually generated key values, the settings should
    be similar to the following example.

    <machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"       

decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

    If you want to isolate your application from other applications on the
    same server, place the in the Web.config file for each
    application on each server in the farm. Ensure that you use separate
    key values for each application, but duplicate each application’s keys
    across all servers in the farm.

    In short, to set up the machine key refer the following link:
    Setting Up a Machine Key – Orchard Documentation.

    Setting Up the Machine Key Using IIS Manager

    If you have access to the IIS management console for the server where
    Orchard is installed, it is the easiest way to set-up a machine key.

    Start the management console and then select the web site. Open the
    machine key configuration:
    The IIS web site configuration panel

    The machine key control panel has the following settings:

    The machine key configuration panel

    Uncheck “Automatically generate at runtime” for both the validation
    key and the decryption key.

    Click “Generate Keys” under “Actions” on the right side of the panel.

    Click “Apply”.

    and add the following line to the web.config file in all the webservers under system.web tag if it does not exist.

    <machineKey  
    validationKey="21F0SAMPLEKEY9C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
                   AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
    decryptionKey="ABAASAMPLEKEY56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
    validation="SHA1"
    decryption="AES"
/>

    Please make sure that you have a permanent backup of the machine keys and web.config file

    • 0