IIS 7 Tip # 10 You can generate machine keys from the IIS manager

The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This works fine for applications that are deployed on a single server. When you use webfarms a client request can land on any one of the servers in the webfarm. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.

There are a lot of articles that describe how to use RNGCryptoServiceProvider to generate a random key. There are also a lot of online tools that generate random keys for you. But I would suggest writing your own script because any one who has access to these keys can do evil things like tamper your forms authentication cookie or viewstate.

With IIS 7 you no longer have to do this manually. The IIS 7.0 manager has a built in feature that you can use to generate these keys.


It uses RNGCryptoServiceProvider internally to create a random key. The value is stored locally in the web.config of that application something like

<?xml version="1.0" encoding="UTF-8"?>
        <machineKey decryptionKey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2,IsolateApps" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45,IsolateApps" />

You can copy it and paste it in the web.config file of all the servers in the webfarm.

Bookmark and Share