Understanding ASP.NET Authentication Options

codeling 1264 - 5430
@2017-03-23 14:13:29

Web Farm Scenarios

In a Web farm, you cannot guarantee which server will handle successive requests. If a user is authenticated on one server and the next request goes to another server, the authentication ticket will fail the validation and require the user to re-authenticate.

The validationKey and decryptionKey attributes in the machineKey element are used for hashing and encryption of the forms authentication ticket. The default value for these attributes is AutoGenerate.IsolateApps. The keys are auto-generated for each application, and they are different on each server. Therefore, authentication tickets that are encrypted on one computer cannot be decrypted and verified on another computer in a Web farm, or in another application on the same Web server.

To address this issue, the validationKey and decryptionKey values must be identical on all computers in the Web farm.

Machine Key Explained

The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file. The relevant default settings are shown here for reference.

<pages enableViewStateMac="true" viewStateEncryptionMode="Auto" ... />

<machineKey validationKey="AutoGenerate,IsolateApps"  
            validation="SHA1" decryption="Auto" />

When you configure ViewState, the <pages> element is used in conjunction with the <machineKey> element.

The <machineKey> attributes are as follows:

  • validationKey. This specifies the key that the HMAC algorithm uses to make ViewState tamper proof. The ViewState MAC is checked at the server when either the enableViewStateMAC attribute of the <pages> element or the EnableViewStateMac attribute of the @Page directive is set to true.
    <pages enableViewStateMAC="true" ... /> 
    <%@Page EnableViewStateMac="true" ... %>

    Forms authentication also uses this key for signing the authentication ticket. Role manager and anonymous identification if enabled also uses this key for signing their cookies. If you use anonymous identification in cookieless mode, the data on the URL is also signed with this value,

  • decryptionKey. This specifies the key used to encrypt and decrypt data. Forms authentication, role manager and anonymous identification features use this key to encrypt and decrypt the authentication ticket, roles cookie and anonymous identification cookie. ASP.NET uses the key to encrypt and decrypt ViewState, but only if the validation attribute is set to AES or 3DES.
  • decryption. This specifies the symmetric encryption algorithm used to encrypt and decrypt forms authentication tickets.
  • validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:
    • SHA1–SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.
    • MD5–MD5 is used to tamper proof ViewState and, if configured, the forms authentication ticket.
    • AES–AES is used to encrypt ViewState with the key specified in the decryptionKey attribute.
    • 3DES–3DES is used to encrypt ViewState with the key specified in the decryptionKey attribute. This is the only way to encrypt ViewState in ASP.NET 1.1. Both the forms authentication ticket and the ViewState are tamper-proofed using SHA-1 and the key specified in the validationKey attribute. Because the validation attribute is overloaded in ASP.NET 1.1, ASP.NET 2.0 introduces a new decryption attribute.


In general, you should choose SHA1 over MD5 for tamper-proofing because this produces a larger hash than MD5 and is considered cryptographically stronger.

Forms authentication defaults to SHA1 for tamper proofing (if <forms protection="validation" or "All"). When <forms protection="All"> or <forms protection = "Encryption">, then forms authentication hashes the forms authentication ticket by using either MD5 or HMACSHA1 (HMACSHA1 is used even if validation is set to AES or 3DES). Forms authentication then encrypts the ticket using the algorithm specified in the decryption attribute.

codeling 1264 - 5430
@2018-01-12 11:21:40

When a client browser makes a Web request, this initiates a thread in IIS, and objects relating to the request, such as the token contained in the IIdentity object, which is contained in the IPrincipal object, are attached to the thread. Programmatically, the IIdentity and IPrincipal objects are accessed through the HttpContext.User property, and both the objects and property are set by authentication modules that are part of the .NET pipeline, as shown in the following figure.


codeling 1264 - 5430
@2019-11-19 11:55:06

This example shows all of the attribute settings that are available for an instance of ActiveDirectoryMembershipProvider.

    <add name="ADService" connectionString="LDAP://ldapServer/" />  
        <add name="AspNetActiveDirectoryMembershipProvider"  
          System.Web, Version=1.0.3600, Culture=neutral,  
          description="Default AD connection"  
          attributeMapEmail = "mail"  
          attributeMapUsername = "userPrincipalName"  
          maxInvalidPasswordAttempts = "5"  
          passwordAttemptWindow = "10"  
          passwordAnswerAttemptLockoutDuration = "30"  
          @\"(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})" />  

clientSearchTimeout and serverSearchTimeout default to minutes. To change the units, set the timeoutUnit attribute value to one of "Days", "Hours", "Minutes", "Seconds", or "Milliseconds". If the attribute is not specified, the default is "Minutes".

Users browsing this topic