000039118 - Validation of Viewstate MAC failed Website on Web Farm in RSA Archer

Document created by RSA Customer Support Employee on Jul 30, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039118
Applies To

  
RSA Product Set: RSA Archer Suite
      RSA Product/Service Type: RSA Archer (On-Premise)
      RSA Version/Condition: 6.x
      Platform: Windows Server 2012 R2/ Windows Server 2016/ Windows Server 2019 

  
IssueUsers are getting an intermittent login issue when they are logging to Archer in a multihost on-premises environment using a Loadbalancer. The Archer W3WP shows the following ASP.NET exception:
 

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<ApplicationData>
   <TraceData>
     <DataItem>
       <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
         <TraceIdentifier>Archer.Web</TraceIdentifier>
           <Description>Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that
   &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

             <Source>System.Web</Source>
  <StackTrace>   at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError)
   at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose)
   at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose)
   at System.Web.UI.HiddenFieldPageStatePersister.Load()
   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
   at System.Web.UI.Page.LoadAllState()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ArcherTech.Web.ArcherTechPage`2.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)</StackTrace>
    <InnerException>
    <ExceptionType>System.Web.UI.ViewStateException, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a</ExceptionType>
    <Message> Invalid viewstate. Client IP: xx.xx.xx.xx  Port: 12345 Referer: https://server_name/RSAarcher/Default.aspx  Path: /RSAarcher/Default.aspx ViewState: </Message>
       <StackTrace />
      </InnerException>
     </Exception>
    </TraceRecord>
   </DataItem>
  </TraceData>
</ApplicationData>
</E2ETraceEvent>


 
CauseWhen you are hosting your ASP.NET Web application into a Web Farm (multihost Web servers) environment, this issue occurs by the ASP.NET worker process. By default, ASP.NET encrypts the Viewstate using an AutoGenerated Key when the process spins up.

Typically, the Viewstate data that is transferred between the client and the server is always validated to ensure that the Viewstate data is not tempered. During this process the Viewstate data is encrypted and decrypted, a unique Machine Key is used to encrypt/decrypt this data between client and server. If the application is hosted on a single machine, you will not experience this issue because the Machine Key will always be same for both encryption and decryption, but this issue occurs in the Web farm because each Web server has a different Machine Key across the Web servers and this is the root cause of the error. Furthermore the Auto Generate cannot be used in a cluster.
ResolutionFor each Web Servers, a unique key <machineKey> must be used by all the Web servers, so you will need to generate a unique Machine Key to be used by IIS on all web farm servers. 
Workaround 

To generate a unique Machine Key:



  1. Start IIS manager on one of the web servers being configured for load balancing.
  2. Select the Platform IIS application, and start the Machine Key applet. The following illustration shows how the web application is installed under the Default Web Site.
  3. On the Machine Key configuration page, set the values of the following parameters. For information about the values see https://technet.microsoft.com/en-us/library/hh831711(v=ws.11).aspx
    1. Decryption Method
    2. Encryption Method
    3. In the Validation Key and Decryption Key sections, clear any selected options.
    4. In the actions panel, select Generate Keys.

User-added image


  1.  In the Actions panel, click Apply to save the generated keys to the Platform Web.config file. The generated keys appear in the Validation key and Decryption key sections. For all subsequent Web servers, do the following:
  2. Copy the generated key values from the Validation key and Decryption key sections.
  3. At the other Web Servers, repeat steps 1 - 3.C to generate the Machine Key.
  4. Paste the values from the generated Machine Key into the respective Validation key and Decryption key boxes on the Machine Key page.
  5. In the Actions panel, click Apply. This is will write the machine key to the Web.config file on the Web server.

Validation


After the previous steps are completed for all Web servers do the following.

  1. Login to each Web server and check the Web.config and check the Machine key. The Web.config is located under the \inetpub\wwwroot\RSAarcher folder and it depends where you install Archer.
  2. Backup the Web.config file
  3. Open the Web.config in notepad and search for the "machineKey" and if the Machine Key is missing.
  4. Add the following lines to the end of the Web.config file before "</configuration>". 


<system.web>
        <machineKey decryptionKey="xxxx" validationKey="xxxx" />
    </system.web>


  1. Then copy the DecryptionKey and ValidationKey key from the Machine Key in IIS into the Web.config file and you restart the IIS service. The following illustration shows how the Machine Key is configured in the Web.config file.


<system.web>
        <machineKey decryptionKey="E5D738E8C4A2A55C6FF5BC6FED9145AE0B6A608CEF4E6C2A" validationKey="F2D4B8DFD5AEFD74F4D3C009056EFAD875BFAE438C4EEBBE6BA49BCC55C2D108BA40BBA86B18F4D56F20D6367514805211E1D44EEAE1B440321921993016C4E0" />
</system.web>

  

Reference 


Attachments

    Outcomes