Solution for ‘Validation of viewstate MAC failed’

Server Error in ‘/’ Application.


Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

————————————————————————————————-

Do you get above error in your website?

This means that Content Services Switch or Load Balancer is established in your application servers and thus causing this error.

The problem now is that most of the web applications require to maintain the client connection to same server till the client ends the connection. CSS by default connects the client request to which ever the server is free at that moment. If the first request of the client is handled by SERVER1(10.2.2.1), CSS may direct the same client request to SERVER2(10.2.2.2) if SERVER2 is comparatively free than SERVER1. Even if the same version and patches of web application is maintained at SERVER1 and SERVER2, Machine Key and session information will not be available on both the servers. So now, what you need to do is setting up of  ‘stickiness’ in CSS content rule.

Before trying to resolve it, I explain you some technical terms related to this bug.

  • Viewstate: Explained very well here http://www.dotnetjohn.com/articles.aspx?articleid=71.
  • MAC (Viewstate MAC): ASP.NET runs a message authentication check(MAC) on the page’s viewstate when the page is posted back from the client. This is to ensure that the same client sends the requests without data tampering in between transmission. Some peoples suggest to disable this check by setting enableEventValidation=”false” (see bulletin 1 below), but please be aware of the consequences of security risk. Disabling this check skips the validation of postback and the attacker could spoof the postback data and corrupt your application or servers.
  • Web Farm: Two or more server balancing the traffic of a web application. In a Web Farm, a front-end load balancer will handle the client requests and distribute it between the back end application servers.
  • Content Services Switch (CSS): CSS receives the client request for content and directs to a specific server, say for example, if you have setup CSS to balance the load between two servers, then it would send the client request to the servers which are free at that moment. To assist you in understanding see the setup diagram below,

Other suggested solutions that I do not prefer to do:

1. Try adding this string in <system.web> section of your web.config file :

<pages validateRequest=”false” enableEventValidation=”false” viewStateEncryptionMode =”Never” /> for fix “Validation of viewstate MAC failed” error.

Even your issue is resolved by adding this line, it is like removing the speakers from ‘Fire Alarm System’.

2. Force every server in your farm to use the same key; generate a hex encoded 64-bit or 128-bit <machineKey> and put that in each server’s machine.config.

<machineKey   validationKey=’123123GDGAGASGAGDGGAGDAGAG712879812701NVKAHDA9817913134FF01F3FADFSA9′ decryptionKey=’190283091UJHFA701820938JFKAJF8′ validation=’SHA1’/>

You can generate a key from http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx

This solution is atleast better than the above one but again setting up of static machinekey is a security loop hole.

Proper Solution:

Include ‘Stickiness’ in CSS configuration. Stickiness will tell the CSS to maintain an association between client and same server connection (SERVER1 or SERVER2) till the connection ends.

content rule-1
protocol tcp
vip address 172.20.20.20
port 80
add service webserver1
add service webserver2
advanced-balance sticky-srcip
active

CISCO Advanced Configuration Guide of Sticky

One thought on “Solution for ‘Validation of viewstate MAC failed’

Leave a Reply