Generate a Decryption Key at Runtime (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Generate a decryption key at runtime when you want ASP.NET to generate a random key and store it in the Local Security Authority (LSA). By default, a decryption key is generated at runtime and this key makes sure that forms authentication tickets are tamper proof and encrypted, and that view state is tamper proof. Generating a decryption key at runtime also guarantees that any modification of the view state or authentication tickets, either on the client's computer or over the network, is detected when the server processes the data.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Machine Keys Feature Requirements (IIS 7).

Exceptions to feature requirements

  • None

To generate a decryption key at runtime

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To Use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Machine Key.

  3. On the Machine Key page, under Decryption key, select the Automatically generate at runtime check box, and then click Apply in the Actions pane.

Command line

To generate a decryption key at runtime, use the following syntax:

appcmd set config /commit:WEBROOT /section:machineKey /decryptionKey:AutoGenerate

The variable decryptionKey is used to configure IIS to either generate a decryption key at runtime, generate a unique decryption key for each application, or both. The default value is AutoGenerate,IsolateApps.


When you use Appcmd.exe to configure the <machineKey> element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:

<machineKey> element, defined in the Machine.config file.

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • MachineKeySection.ValidationKey “AutoGenerate” flag

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring Machine Keys in IIS 7