Configuring Encryption and Validation Keys

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

ASP.NET uses a key to help protect data so that session state data is only accessible from the Web server that created the data. In a Web garden, all of the worker processes use the same Machine.config or Web.config file, so no additional configuration is necessary. If you are configuring ASP.NET session state for a Web garden, continue to the next step in the deployment process. To continue to the next step in the ASP.NET application deployment process, see Configuring ASP.NET Applications to Use the Appropriate Session State.

In a Web farm, each Web server in the farm has a separate Machine.config or Web.config file. As a result, you need to manually configure each Web server in the farm to share the same encryption and validation keys so that they can share session state data. This allows one server to decrypt the session state data created by another server in the Web farm. You can configure the encryption and validation keys in the <machineKey> section of the Machine.config file.

Tip

When you want all of the ASP.NET applications on a Web server to use the same encryption and validation keys, make the modifications in the Machine.config file. When you want to customize the encryption and validation keys for each ASP.NET application, modify the corresponding Web.config file for the application.

For each server in the Web farm, identically configure the values of the following attributes in the Machine.config or Web.config file:

  • The validationKey attribute. This attribute contains the key that is used to validate that data tampering has not occurred. The validation algorithm, which is specified in the validation attribute, validates the data by using the key in the validationKey attribute. The validationKey attribute can range from 40 to 128 hexadecimal characters in length. The default value for the validationKey attribute is auto-generated. Configure the value for the validationKey attribute to be the same value for all of the servers in a Web farm.

  • The validation attribute. This attribute is used to configure the validation algorithm used to verify the data. The validation algorithms that you can select include Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA1), or triple DES (3DES). The Web server validates the data with the key in the validationKey attribute and the algorithm specified by the validation attribute. Configure the value of the validation attribute to be the same value for all of the servers in a Web farm.

  • The decryptionKey attribute. This attribute contains the key that is used to encrypt data. Valid values are 16 or 48 hexadecimal characters, which corresponds to the Data Encryption Standard (DES) or 3DES algorithm, respectively. The default value for the decryptionKey attribute is auto-generated. Configure the value of the decryptionKey attribute to be the same value for all of the servers in a Web farm.

For an example that describes how to configure the encryption and validation keys for Microsoft Content Management Server 2002, see Best Practices for Authentication for Web Farms on MSDN. You can use this example to assist you in configuring the encryption and validation keys for your ASP.NET application.