Machine Key changes when app pool is recycled

Asked 13/11, 2015 at 13:4 Answered 27/11, 2015 at 9:41

I am using MachineKey API to encrypt/decrypt a piece of information in an ASP.NET application. I am using

MachineKey.Encode(data, MachineKeyProtection.All)

and

MachineKey.Decode(data, MachineKeyProtection.All)

methods of API. Everything works great on Windows 8 and Windows Server 2012 when Load User Profile is enabled. The problem is for some reason it doesn't survive app pool restart on Windows Server 2008 R2 with IIS 7.5.

Initially I had impression that I will need to enable Load User Profile setting on Application Pool but that doesn't make any difference. Any idea what I could be missing here?

Thanks

Pericynthion answered 13/11, 2015 at 13:4 Comment(0)

It could be that a new machine key is being generated by IIS each time the Application Pool recycles. Try setting a static machine key in your web.config as described here: IIS 7 Tip #10 You can generate machine keys from the IIS manager. Without explicitly setting a static machine key, your encryption/decryption key is a moving target.

Cutlor answered 19/11, 2015 at 23:46 Comment(1)

Actually the idea of using MachineKey API was to replace DPAPI and without worrying about setting machine key manually. Static machine key works but its not an option since API should work without it ensuring a unique key per IIS settings. – Pericynthion 20/11, 2015 at 15:27

@pstricker is right, if there's no machine key defined, then on app pool startup a new key is generated. MachineKey API is based on the machine key, so it needs to be set somewhere. If you don't want to set the machineKey in the application's web config, you can still do it in the server's machine config, here: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config"

Also, if you want a per app pool machine key, you can do what's described here.

Gelasius answered 27/11, 2015 at 9:41 Comment(0)

Recommended topics

Hot tags