Validation of viewstate MAC failed

We have just added a second Windows 2008 Web Server to our production environment and hit our first problem “Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.”

Ouch! Now we’re using Shared Configuration on IIS7.5 so ServerA and ServerB are both serving the same files in the same way and up until now we’ve not had any problems. As soon as we introduced the second machine we got this error. So I fired up my trusty browser and started looking for answers. There was lots of advice recommending that I disabled EventValidation, but I don’t like the idea of a public site with <page enableEventValidation=”false” viewStateEncryptionMode=”never” />, it seems like a gaping hole in the site security. Besides I tried making the changes and it didn’t fix the problem.

Turns out there’s a fairly simple solution and re-reading the error message it is quite obvious, I needed to assign the same MachineKey node, with validationKey, decryptionKey and validation algorithm on all servers. There is even a handy page by Scott Forsyth to Generate MachineKeys for you, just add the MachineKey to your web.config and you’re done.

Now I suspect there’s a way to do this in the machine.config so I won’t need to do this for every site I run on the servers… there may be a follow up post to this!

Update

Well I'm pleased to say that adding the machineKey node to the machine.config seems to work! I have removed it from the web.config file and my site is still running. That makes sense it's just a shame this isn't done for you when setting up the shared config in IIS.