SSO application Generation MachineKey in MachineKey operation application cluster

machinekey Introduction

MachineKey It is used to encrypt and decrypt Forms authentication Cookie data and view state data, in general, IIS automatically defaults to the Web site or each application to generate a unique machinekey, of course, you can also manually generate machinekey, usually by the formsauthentication action class to operate.

Application cluster, SSO single Sign-on

SSO: English full name Single sign on, SSO is a multi-application system where users can access all trusted applications with only one login. It includes a mechanism that can map this major login to other apps for the same user's login.

A: On the virtual host , different webmaster sites are on the same machine, by default, machinekey is the same, the use of FormsAuthentication there is a little risk, sometimes for security, You can usually use your own to generate random machinekey, which avoids this problem.

B: In order to load balance , a different content of a site to the different machines, so by default, machinekey is different, but logically these are the same site, in order to achieve the common use of multiple machines to log in, then configure the same machinekey.

The Code Generation machinekey sample, of course, you can also use IIS generation after replication to each subsystem to continue the configuration

usingSystem.Web.Configuration;//Open Web. config file, write the newly generated machinekeyConfiguration config = webconfigurationmanager.openwebconfiguration ("/"); Machinekeysection configsection= (machinekeysection) config. GetSection ("System.web/machinekey"); Configsection.validationkey= CreateKey ( -); Configsection.decryptionkey= CreateKey ( -); Configsection.validation=MACHINEKEYVALIDATION.SHA1;if(!configSection.SectionInformation.IsLocked) {CONFIG. Save ();}

usingSystem.Security.Cryptography;//Generate random Key Public Static stringCreateKey (intnumbytes) {RNGCryptoServiceProvider rng=NewRNGCryptoServiceProvider (); byte[] Buff =New byte[numbytes]; Rng.      GetBytes (Buff); System.Text.StringBuilder hexstring=NewSystem.Text.StringBuilder ( -);  for(inti =0; I < buff. Length; i++) {hexstring.append (String.Format ("{0:x2}", Buff[i])); }  returnhexstring.tostring ();}

Result Web. config output

<machinekey validationkey="3ff1e929bc0534950b0920a7b59fa698bd02dfe8"                  DecryptionKey="280450bb36319b474c996b506a95aedf9b51211b1d2b7a77"                  Decryption="3DES"                 validation="SHA1 "/>

How to configure machinekey

For specific configuration, please refer to MSDN: Address

Https://technet.microsoft.com/zh-cn/subscriptions/w8h3skw9 (v=vs.80). aspx

Precautions

If your ASP. NET program executes this error: " Verify view state MAC failed . If this application is hosted by a Web farm or a cluster, make sure that the <machineKey> configuration specifies the same validationkey and validation algorithms and cannot use AutoGenerate in the cluster. " So what does machinekey do if you don't let your application use a unified machinekey?" As the MSDN Standard says, "Configure the key so that it can be used to encrypt and decrypt Forms authentication Cookie data and view state data and use it to authenticate the out-of-process session state identity." "This means that many of the encryption in ASP is dependent on the value inside the machinekey, such as the Forms authentication Cookie, ViewState encryption . By default, the ASP. NET configuration is generated dynamically, if a single server is certainly not a problem, but if more than one server load balancing, machinekey also in a dynamic manner, the machinekey value on each server is inconsistent, resulting in the results of encryption is not consistent, Authentication and ViewState cannot be shared, so for multiple server load balancing situations, be sure to configure the same machinekey at each site.

SSO application Generation MachineKey in MachineKey operation application cluster