What are the issues with Forms Authentication in Web Farm Scenario?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


In a Web farm scenario you cannot guarantee which server will handle successive requests. With default settings on each server, if a user is authenticated on one server and the next request goes to another server the authentication ticket will fail the validation and the user will be forced to re-authenticate. The validationKey and decryptionKey in the <machineKey> section is used for hashing and encryption of the forms authentication ticket. The default value of this keys is “AutoGenerate,IsolateApps”, i.e. the keys are auto generated for each application and they will be different on each server. Hence authentication tickets encrypted and tamper proofed on one machine cannot be decrypted and integrity checked on another machine in a Web farm.

To address this issue, you must ensure that the validationKey and decryptionKey are identical on all machines in the farm. To do so you must manually generate the validationKey and decryptionKey and copy the key values to all machines in the Web farm. Additionally you must ensure that the name and path attributes in the <forms> element in configuration files on each server share the same value. If you deploy multiple applications in the Web farm, ensure that you use separate validationKey and decryptionKey values and name and path attribute values in <forms> element for each application, but duplicate each application's validationKey and decryptionKey values and name and path attribute values in the <forms> element across all servers in the farm.

To generate cryptographically random keys, use the RNGCryptoServiceProvider class to generate a cryptographically strong random number. The key must be a minimum of 40 hexadecimal characters (20 bytes) and a maximum of 256 hexadecimal characters (64 bytes) long.

using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;
class App
 static void Main(string[] argv) 
   int len = 128;
   if (argv.Length > 0)
       len = int.Parse(argv[0]);
   byte[] buff = new byte[len/2];
   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
   StringBuilder sb = new StringBuilder(len);
   for (int i=0; i<buff.Length; i++)
         sb.Append(string.Format("{0:X2}", buff[i]));

Use the generated keys to configure the machineKey settings in your Web.config file as follows. Use separate keys for validationKey and decryptpionKey.

<machineKey validationKey="Hsbfb636576sahfj\mfhhshnj234235"  
           validation="SHA1" decryption="Auto" />

More Information

For information about how to generate manual key values and machine key configuration, see “How To: Configure MachineKey in ASP.NET 2.0” please refer to http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000007.asp

Personal tools