ViewState error with Session Affinity and Web Farm on ISA Server


Vijay Chikte

Hi Experts,

With Session Affinity and Web Server Farm on ISA Server 2006 accessing 2
backend IIS servers, I’m getting error “Validation of ViewState MAC failed.
If this application is hosted by a Web Farm or cluster, ensure that
<machineKey> configuration specifies the same validationKey and validation
algorithm. AutoGenerate cannot be used in a clusterâ€.

Here is the scenario when I got the error.

1. ASP.Net web application is installed on 2 backend IIS Servers. Web
application consists of a simple login page which contains UserName, Password
fields and Submit button.
2. Web farm is created on ISA Server 2006 to access both backend IIS Servers.
3. All the requests to the backend IIS servers go through the ISA 2006
4. While creating Web Publishing Rule to access Web application folder from
backend IIS Servers, Session Affinity is used for Load Balancing so that the
requests from the same session should go to the same IIS server.
5. When I tried to access login page simultaneously from multiple browsers,
after submitting the form on web page simultaneously from different browsers,
it gave error “Validation of ViewState MAC failed†in some of the browsers.
6. I got the error only when I used HTTP protocol. When the same setup was
done for HTTPS, I did not get error and all the requests were routed to
different backend IIS Servers as expected.

I searched on net for help, in some of the resources, it is mentioned that
<machineKey> element set in Web.config file is used for encrypting and
MAC-checking on the ViewState and if the encryption settings are different on
different servers, ASP.Net consider the ViewState as modified and gives the
exception. So, it is suggested to use the same <machineKey> on all the
backend servers in case of servers on Web farm. I tried using the same
<machineKey> on backend IIS Servers and the error was gone.

When we are using Session Affinity to create Web Publishing Rule which uses
Web Farm to handle both backend IIS Servers, why do we need same
<machineKey>? I want to understand the reason behind the error and why the
error occurs only on HTTP and not on HTTPS?

I would appreciate your quick response.

Thank you in advance.


Marc Gravell

It is possible that with https you have "sticky" load balancing - i.e.
it has to keep routing messages to the server that initiated the SSL
context, because only that server knows how to decrypt it. You can get
around this by using an NLB to tear down the SSL context before it is
divided between the app servers. Obviously if each connection is
sticking to a server, you don't get this problem, as the viewstate is
only seen by a single server.

So yes; you will need the same key on all servers in the farm.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question