locked
Validation of viewstate MAC failed for application deployed on Windows 2008 server. RRS feed

  • Question

  • User1805273456 posted

    Hi,

    I am getting the below error in my ASP.NET 4.0 web application:

    Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

    I started getting this error when I added the below tag in web.config to encrypt the viewstate:

    <pages enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" enableViewStateMac="true" viewStateEncryptionMode="Always"/>

    <machineKey validationKey="9EFA2D2E71A1BC8ECAF76E2377F29E61AB0214D893EBDBBD49C594A94FB0A2336BA3023F1578BFFE7ACD09C56872885537D07F5FA8FFF0FE4CD8B0E955A02845" decryptionKey="3EBF84F260F8883A69379502DF6DC999ADCAAA90885EAB1BD0423CEED13526A4" validation="SHA1" decryption="AES"/>

    I looked for lot of solutions on aspnet forums and Internet but nothing worked. If I change the viewStateEncryptionMode to "Auto" or "Never", then the page loads fine. But that would make my application insecure and security is my prime objective.

    FYI:My application is deployed on a Windows 2008 R2 server and not on a webfarm.

    Any solution to solve this issue?

     

    Friday, February 1, 2013 5:15 PM

All replies

  • User-596472743 posted

    hi smehta,

    this issue has been disscused, please refer:

    http://forums.asp.net/t/1166634.aspx

    Sunday, February 24, 2013 8:47 PM
  • User1805273456 posted

    Hi,

    I tried the solutions mentioned in the above URL but none worked. I am using enableviewstatemac="false" option for all of the pages of my web application which is built in asp.net 4.0. Just to let you know, I do use AJAX in my application and I am not using a true parameter in  Server.transfer to move from one page to another.

    To increase the security for my application, I have been asked to encrypt the viewstate. I made changes in my web.config to use 3DES as encryption algorithm and a defined key. After doing this, I started getting "validation of viewstate failed" exception whenever I move from one page to another. I am not sure what is the reason. Do you have a solution for this?

    Tuesday, May 14, 2013 4:13 PM
  • User1805273456 posted

    Is there a way to bypass view state validation and at the same time, encrypt the viewstate as well. Currently, I am encrypting the viewstate using viewstateencryptionmode="Always" tag but I have disabled viewstatemac feature by using enableviewstatemac="false". But still, I am getting "validation of viewstate mac failed" exception. My understanding from here is that if we encrypt the view state, then, viewstate mac feature becomes enabled.

    Thursday, May 23, 2013 2:03 PM