ASP.NET EventValidation fails when .NET 4.5 Framework is installed in only one server behind the load balancer

Asked 17/1, 2013 at 4:0 Answered 15/10, 2013 at 13:13

asp.net cryptography .net-4.5 web-farm eventvalidation

We have installed .net 4.5 Framework in one of our web servers. Our applications are targeted for .net 4.0 and run off multiple servers behind a load balancer.

After the installation we get the following error message for some POST requests

error_name=System.ArgumentException error_message=Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation. error_details=Source: System.Web

The __EVENTVALIDATION value in the body of the request is different when it is requested from server with .net 4.5 installation. MSDN mentions that cryptography changes in .net 4.5 uses opt in configuration, so by default it should be backward compatible.

Is there a config change, without disabling event validation, I need to do for _EVENTVALIDATION to behave the same on machines with .net 4.5 installed as it behaves with only .net 4.0 ?

Desex answered 17/1, 2013 at 4:0 Comment(7)

Is this when running in an isolated manner on this server alone? Does the load balancer have persistence enabled? Is it possible this server is getting a post back from a different web server that does not have 4.5? – Combination 17/1, 2013 at 4:5

It works fine in isolated manner. I think the problem happens when the initial request is from a server without .net 4.5 and a post takes it to the server with .net 4.5 installed – Desex 17/1, 2013 at 4:22

Check to make sure it didnt change your machine keys and such, but Best bet is to verify there are no other issues and roll out to the rest of the servers. In the meantime, implement persistence in the load balancer to eliminate cross server calls until all can be patched. Hybrid modes never seem to work right. – Combination 17/1, 2013 at 4:25

ASP.NET historically hasn't supported mixed deployments. Brian's advice is best: affinitize in the load balancer, which should give you time to complete the rollout. When the servers are all upgraded, the problem should go away. (Event validation is tied to ViewState, and the ViewState format was tweaked slightly between 4.0 and 4.5, resulting in the error you're seeing.) – Exit 17/1, 2013 at 7:59

@chrisk, Can you please let us know whether Brian's workaround works for you? Thanks! – Nettle 5/2, 2013 at 6:45

No machine changes were found as part of this upgrade which would cause this issue. We did not implement persistence in the load balancer as this was not feasible for us. Our solution was to upgrade all servers in one region at the same time and redirecting the traffic during the upgrade. – Desex 6/2, 2013 at 20:56

We experimented with that. Upgraded 2 nodes of our cluster to .NET 4.5, other nodes we turned off, but still had this errors whereas on .NET 4.0 we didn't. Now we returned back to .NET 4.0 and seek for the solution. Also, on developers' machines we do not have this errors in spite of installed .NET 4.5 (Windows 7 and VS 2012). – Gestalt 3/4, 2013 at 12:0

I had the same issue as we are currently migrating our server farm to Windows 2012 (.NET 4.5) from 2003 (.NET 4.0). Looking into the ClientScriptManager, the event validation code has changed considerably.

A fix for this was to add the appSetting to use Legacy Event Validation compatibility as described here

<appSettings>
  <add key="aspnet:UseLegacyEventValidationCompatibility" value="true" />
</appSettings>

Now the values generated for event validation in my pages are the same whether generated by .NET 4.0 or 4.5

Flightless answered 15/10, 2013 at 13:13 Comment(4)

We don't have a server farm to test this now but this definitely sounds like a good solution. I did not come across this solution after doing extensive search on google and msdn. – Desex 15/10, 2013 at 20:34

Please remember to remove this <appSettings> value once your migration has completed. We include these switches only for migration scenarios, and we fully intend on removing them in a future update. Your application could be broken if you still rely on this switch and we remove it. – Exit 11/12, 2013 at 18:1

@Exit This was not documented on Application Compatibility in the .NET Framework 4.5, it was only documented on http://msdn.microsoft.com/en-us/library/hh975440.aspx, which was much harder to find (unless you already know to look for). – Igal 4/4, 2014 at 14:35

Thank you! this saved me heartache after doing a migration with both Server 2003 and Server 2012 in the same pool. – Cantabrigian 10/12, 2014 at 3:25

Interesting problem, I would try to freeze some behaviors to a specific version of the Framework (in the web.config).

The Request Validation Mode

<httpRuntime requestValidationMode="4.0" />

The compilation target Framework

<compilation targetFramework="4.0">

The Control rendering compatibility version

<pages controlRenderingCompatibilityVersion="4.0"/>

Movie answered 3/8, 2013 at 18:29 Comment(0)

I'd check for the machine key configurations and make sure its the same on all servers. Uses for MachineKey in ASP.NET and http://aspnetresources.com/tools/machineKey

Also, you can check if you have any client side scripts

"If you write client script that changes a control in the client at run time, you might have to use the RegisterForEventValidation method in order to avoid false event validation errors."

http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx

Jibber answered 29/8, 2013 at 21:25 Comment(0)

Recommended topics

Hot tags