Menu
Where do I find the machineKey config section for ASP.NET?
I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.
Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)
Having read this: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
i was expecting to find something like this, somewhere:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>
Edit: the 1.1 docs seem fairly clear wrt default values: http://msdn.microsoft.com/en-us/library/w8h3skw9(VS.71).aspx but the 4 docs are rather ambiguous http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
629
A large number of files, ranging 50k or higher, are found in the operating system's Machine Keys folder (typically C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys).
Open IIS manager. Double-click the Machine Key icon in ASP.NET settings in the middle pane: MachineKey section will be read from your configuration file and be shown in the UI.
The machine. config file is stored in the %WINDIR%\Microsoft.NET\Framework folder in the directory where Microsoft Windows is installed. By default, it is located in the following path: C:\WINDOWS\Microsoft.NET\Framework\v1. 1.4322\CONFIG.
Managed via the IIS Manager the generated key is stored in the <machineKey> element in the machine. config and must be kept in sync across all nodes of a Web Server Farm. On PCF the <machineKey> element must be added to the web. config of the ASP.NET Application to ensure consistency for all Application instances.
machineKey is situated under System.web entry in web.config
Refer MSDN link for web.config Schema.
If you dont see it in your web.config, you can just add it there.
From MSDN again :-)
To provide tamper proof ViewState, a hashed message authentication code (HMAC) is generated from the ViewState content and the hash is compared on subsequent requests. The validation attribute of the indicates which hashing algorithm to use, and it defaults to SHA1, which uses the HMACSHA1 algorithm. Valid choices for hashing include SHA1 or MD5, although SHA1 is preferable because it produces a larger hash and is considered cryptographically stronger than MD5. The validationKey attribute of is used in conjunction with the ViewState content to produce the HMAC. If your application is installed in a Web farm, you need to change the validationKey from AutoGenerate,IsolateApps to a specific manually generated key value.
The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file.
For machineKey, they are
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
EDIT : For .NET 4.0 the default algorithm has been changed to SHA256 I think that the easiest way of finding the defaults is to see the entry in the MSDN for this config value.
MSDN 4.0 for machinekey is as below. The values selected are the default values. The values in [] are the other optional values that the field can take. I remember reading someplace this is the typical way in MSDN of denoting defaults for the config values.
<machineKey
validationKey="AutoGenerate,IsolateApps" [String]
decryptionKey="AutoGenerate,IsolateApps" [String]
validation="HMACSHA256" [SHA1 | MD5 | 3DES | AES | HMACSHA256 |
HMACSHA384 | HMACSHA512 | alg:algorithm_name]
decryption="Auto" [Auto | DES | 3DES | AES | alg:algorithm_name]
/>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
