ASP.NET Production Challenges ASP.NET

Now we will look at two ASP.NET-related production challenges: solving the authentication cookie problem on web farms and changing hosting providers while your site is publicly available.

Fixing Cookie Authentication Problems

When you turn on a web garden or create a multiserver load balance deployment where many servers are serving the same web site, you will have forms authentication problems. Users will frequently be automatically logged out or see the “yellow screen of death” (the ASP.NET error page).This happens because ASP.NET encrypts.the login information in a cookie, but the encryption key is unique for each machine and process in the web garden.If a user hits server No. 1 and gets an encrypted key,and the next hit goes to server No. 2, it will fail to decrypt the cookie and log the user out or throw the user an ASP.NET general error message.

This is what Stefan Schackow on the Microsoft ASP.NET AJAX team said:

In order to prevent this on your production server, you need to remember this before you go live:

The reasons for a forms auth ticket failing are normally that either the validation key or the decryption key are not in sync across all servers in a web farm. Another potential reason can be if both ASP.NET 1.1 and ASP.NET 2.0 applications are issuing forms auth tickets with the same domain and path.

For the first case, setting the validationKey and decryptionKey attributes explicitly on <machineKey /> on each web server will solve the problem.

For the second case, setting the validation Key and decryption Key attributes explicitly in <machineKey /> for *both* the ASP. NET 1.1 and ASP.NET 2.0 applications is necessary. Additionally on the ASP.NET 2.0 apps, the “decryption” attribute in <machineKey />should be set to “3DES”.

Example.Configuring machine.config with fixed validation keys in all servers

<system.web><processModel autoConfig="true"/><machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>

You need to introduce the <machineKey> in the <system.web>node if it doesn’t already exist. Be sure to back up machine.config before making such change.If you make any mistake here, none of the web applications on the server will run properly.

Generating the key

How do you generate the machine key? You need to use a utility to produce the key for your PC.I have made a tool that can generate such keys for you. Example shows how you run it.

Example. Running the security key generator.

SecurityKey.exe 24 64

The two parameters in the download are the length of the security keys—the validation key and decryption key, respectively. They need to be exactly the same as specified in the example.

Each machine requires a key

You have put the same machine keys in all the web servers in your production environment,but event logs show users are still having a problem. You’ve restarted IIS and all your servers, but you still see lots of event log error entries that show users are getting the dreaded “Forms authentication failed for the request. Reason: The ticket supplied was invalid.” So, what did you do wrong? You call Microsoft support and go to the forums looking for solutions, but everyone says what you did was correct.

Here’s what you need to do: wait.Wait for two or three days until all those users come back to your web site at least once. Many users will have a cookie encrypted with the previously assigned encryption key pair. Naturally, it will fail to decrypt with the new key pair you have just specified in machine.config.Until all those users get a new key, you will keep having the error message. So, every re turning user willget the error once after the machine.config change.Don’t be alarmed if you see this randomly happening even after one week or a month.This just means some user visited you after a long time.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

ASP.NET Topics