Develop Reference

MVC AntiForgeryToken machinekey for encryption

i came to know : Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config , one is automatically generated for you by ASP.NET.
If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.
My concern is
before write the machine key in web.config i like to know where i should look for the machine key to copy & paste in web.config. when we are testing in local pc then we can copy & paste the machine key in web.config but when we will host our site in godady or ORCSWEB in shared environment then those company may not give machine key of the pc where our site will be hosted. so i need to know how to handle this situation. thanks
EDIT
<configuration>
<system.web>
<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>
how to get or generate validationKey & decryptionKey separately ? any idea?

If the ASP.NET application is restarted (e.g. do an iisreset), the
AntiForgeryToken within the browser cookie will still be encrypted
with an old machine key???
I don't think machine key changes with iisreset.
You can generate machine key (validation and decryption key) yourself and specify it in web.config. The same key will be used in all cases where encryption is performed e.g. Auth tickets, AF Token.
A good introduction link.
UPDATE:
How to generate machine key?
There are various way, this msdn blog suggest using IIS which looks more secure to me as Microsoft tool being used. However, it seems this feature is only supported until IIS 7. I don't find it on my box IIS 8.5. I checked on IIS 7.5 and its not present there either. However, I found it in IIS 6.1 on a coworker box.
Second option is to use custom key generators
a. Machine Key Generator (online)
b. ASP.NET machineKey Generator (tool you can modify)

ASP MVC Forms Authentication Working Locally Not IIS 7 - 401 Unauthorized Error

I have a asp mvc 2 web application that with forms authentication. It is working just fine on my Visual Studio Development Server but once I deploy my application to IIS 7 it give me a
'401 - Unauthorized: Access is denied due to invalid credentials' error without going to my loginURL page.
In my Web Config
<authentication mode="Forms"
forms name=".MYUNIQUFORMSAUTH" loginUrl="/Login" requireSSL="false" timeout="20000" />
<authentication/>
In IIS i also set the authentication to be Forms on my project and the cookie name matches name set in web.config file.
Project application pool is set to .NET 2.0 with Integrated Pipeline.

I had this problem and it was because the layout page had an Html.RenderAction to a controller that I hadn't applied an [AllowAnonymous] attribute to.
IIS Express let this slip through. IIS 7.0 was less forgiving.
(I'm following this pattern: http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx)

I believe you need to enable the Anonymous Authentication in IIS besides Forms Authentication, so that a login form can be shown.

You will need to either grant read permissions on the directory of your project directory for "IIS_IUSRS" or adjust your website in IIS to use pass through acccess scheme...
p.s.below link for more info on this
http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/

ASP.NET MVC Deploying an app with forms authentication to IIS 7.5

I'm having difficulty deploying a web app that has forms authentication to IIS 7.5.
I have the following:
Forms Authentication
Asp.net mvc 2
Net Framework 4.0
Application Pool is setup for .Net Framework 4.0 and is in Integrated pipeline mode.
IIS 7.5 on Windows Server 2008
Authentication setup is IIS (ASP.NET Impersonation and Forms Authentication set to ENABLED. The rest set to DISABLED). Inside the settings for Forms authentication the login URL is correct. The cookie settings is (Mode: Use device profile, Name: .ASPXAUTH, Protection Mode: Encryption and validation, Requires SSL: not checked)
Web.Config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
I get the following error when running "Manage Application-->Browse" inside IIS Manager.
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
I get the following error when trying to run the deployed app on my local machine:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Any ideas on what is going wrong? It works find when run from VS.

If you have a path leading to an eventual [Authorize] attribute, that will cause this - removing the RenderAction or allowing that action to render without [Authorize] fixes it.
In my case, I call Html.RenderAction("Heading") in _Layout.cshtml (renders a "Please log in" or "Welcome back, Ryan"). My Heading actionresult had an AuthorizeAttribute set on it. I removed the AuthorizeAttribute on Heading, and it was resolved.

I'm running the same setup as what you've shown and it works for me. Check to make sure your logon action does not require authorization.

I got this to work by setting the "Anonymous Authentication" to enabled.
Update: Setting it to Anonymous Authetication has causes other problems. I need to keep this disabled.
Any ideas?

AntiForgeryToken And MachineKey configuration

I am trying to deploy a .NET MVC application to GoDaddy servers. I have an Html.AntiForgeryToken on one of my pages that is causing it throw an exception every time I hit it.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I have generated a machine key using the following URL
http://aspnetresources.com/tools/machineKey
and have set the pages viewStateEncryptionMode to "Always"
<pages viewStateEncryptionMode="Always">
I am still receiving the error however and am at a lost as to what to do next. Any suggestions would be greatly appreciated.

I finally figured it out. I did a little bit more google searching and found that if I don't clear the cache on the browser it will retain the invalid viewstate. Apparently chrome holds onto some semblance of the viewstate in each consecutive browser unless all of the chrome browser windows are closed down (I use alot of chrome browsers), even when the cache has been cleared.
I found that the code worked by trying it in Firefox and IE which was successful. I then closed down all of the chrome windows (after clearing cache) and restarted. I was then able to navigate successfully to the page with the AntiForgeryToken on it.

Internal Server Error due to config lockdown when deploying my ASP.NET MVC app to my web host

I'm developing an ASP.NET MVC website on a local Windows Server 2008/IIS7 machine and am I'm now attempting to deploy it to my web host provider, ASPnix. I'm using their Shared Web Hosting service and have been placed on an IIS7 server which they claim supports ASP.NET MVC.
However, when I deploy the application up to their servers, I get an "Internal Server Error".
Here's the Error Summary:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Here are the relevant portions of the Detailed Error Information:
Module: IIS Web Core
Notification: BeginRequest
Handler: Not yet determined
Error Code: 0x80070021
Config Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
And the Config Source looks like this:
144: </modules>
145: <handlers>
146: <remove name="WebServiceHandlerFactory-Integrated"/>
The error is coming from the fact that I have a system.webServer section in my web.config file that has a handlers child section. The system.webServer section is the exact config section that was laid down by default when I first created the ASP.NET MVC website in Visual Studio. It has the following XML comment above it:
<!--
The system.webServer section is required for running ASP.NET AJAX under Internet
Information Services 7.0. It is not necessary for previous version of IIS.
-->
I take the handlers child section out, and the 500 error goes away. Of course, that section is required for an ASP.NET MVC application to work properly in IIS7, so simply taking it only produces other errors (404 errors in this case since routing doesn't work).
The support engineers at ASPnix claim that ASP.NET MVC is installed and configured properly in IIS7 on their servers. I'm not saying I don't believe them as this is the first ASP.NET MVC site that I've built and deployed. However, I can't think of anything I could do to make this work since it appears to be a config issue at a level that I don't have access to.
This issue smells like it would be a common issue with folks trying to deploy ASP.NET MVC to a hosting provider. Has anything run into this either with ASPnix or other web hosting companies and hopefully found a solution?
ps
One odd thing. When researching this issue on the web I find many people saying they had to set the overrideModeDefault attribute their applicationHost.config files of IIS7 to from "Deny" to "Allow". However, my local development server has this set to "Deny" and everything works fine. Even so, I don't have access to the applicationHost.config file anyway on the web host's server.

Open IIS Management, Under the main server node, select open Feature Delegation (in Management section)
"Handler Mappings" to "Read/Write" instead of "Read Only"
It looks like your hosting provider unnecessarily locked down IIS.
I was able to recreate the problem on my local IIS 7.5 server.
See this for a global settings reset.

please check if you deployed your application properly : Deploying an ASP.NET Server (IIS 7)

The link to
http://www.winservermart.com/Howto/HTTP_Error_500_19_IIS_7.aspx
doesn't fix the problem. The "reset delegation" creates an exception in web.config for a particular domain only which makes the site work, but doesn't answer how to set it permanently system wide.
So, it's not shame, because we know the solution and set all settings correctly. And advertising here some other hosts pointless we have tons of clients that are running from wh4l and describing how great their overloaded servers.
-Polk