Easiest way to generate MachineKey


Have you ever needed to generate a MachineKey to use in your application’s configuration file or in machine.config? You may need a MachineKey in several scenarios. One of them is the scenario where you deploy your application in a web farm. One another scenario is to need to encrypt Forms Authentication tickets.

You have some options to generate a MachineKey:

  • You can build the sample application from the following article: http://support.microsoft.com/kb/312906
  • You can search in Bing for “MachineKey generator” and use an online service. Honestly I wouldn’t rely on third party online services for generating MachineKey because I wouldn’t have any control over them and I couldn’t make sure that if they wouldn’t log my IP address and MachineKey in a database to use that later – yes, I know it sounds like “paranoia” 🙂
There is one another way which I have learned from one of my customers today. It was over there waiting in IIS user interface but I never gave it a try before (shame on me). You can use IIS 7.5 user interface to generate the MachineKey section and save it in the web.config of your application / root web.config file. Steps are quite easy:
1) Open IIS manager.
2) If you need to generate and save the MachineKey for all your applications select the server name in the left pane, in that case you will be modifying the root web.config file (which is placed in the .NET framework folder). If your intention is to create MachineKey for a specific web site/application then select the web site / application from the left pane. In that case you will be modifying the web.config file of your application.
3) Double click the Machine Key icon in ASP.NET settings in the middle pane:
4) MachineKey section will be read from your configuration file and be shown in the UI. If you did not configure a specific MachineKey and it is generated automatically you will see the following options:
5) Now you can click Generate Keys on the right pane to generate random MachineKeys. When you click Apply, all settings will be saved in the web.config file.

AMB
Comments (20)

  1. Peter B says:

    Where's this sample application?

  2. ahmetmithat says:

    @Peter_D503 – sorry, the sample application is in the following article: support.microsoft.com/…/312906

  3. User says:

    Can we use the keys generated by IIS7 on an IIS 6.0 web site?

  4. Om says:

    @User,

    Yes, you can use it.

  5. Griz says:

    If the MachineKey isn't configured in the web.config, where does the default value get pulled from?  I checked the Machine.config for ASP.NET 4.0 and it wasn't there.  My team wants to set this value at a higher level than the web.config in case one of our developers forgets to add the machine key to the web.config.  I understand the security risks of this, but that was the decision that was made.  Thanks for any advice!

  6. Robert says:

    ASP.NET automatically generates a cryptographic key for each application and stores the key in the HKCU registry hive. This auto-generated key is used if there is no explicit <machineKey> element in the application’s configuration.

  7. Adrian says:

    @Griz – It's at C:WindowsMicrosoft.NETFramework64v4.0.30319Configweb.config

  8. Questioner says:

    Don't all the nodes in a cluster have to use the same machineKey?

    If I use this method, won't it put different keys on each node?

  9. ahmetmithat says:

    @Questioner Hello, if you create on all nodes individually then you are right. However you can create on one machine then copy it to the others.

  10. Patrick OBrien says:

    Should the <machineKey> information be in the web.config or in the machine.config in IIS 8.5?  For earlier versions (IIS 6.0) we would use a utility to create the key and then put it in the machine.config file, not in the web.config.

  11. ahmetmithat says:

    @ Patrick OBrien – It can be in any configuration file. Note that starting from IIS 7.0, configuration files are "merged", meaning that you can also put IIS related configuration sections in web.config files when you use integrated pipeline.

  12. Dharmandar says:

    Sir If generate a key offline IIS server Can I use this key on live server.

  13. ahmetmithat says:

    @Dharmandar Yes, you can use that key.

  14. christine sarsonas says:

    good day sir.

    I'm trying to test/setup a shared session between two web application.

    * I already enabled ASP.net State service,

    * Set Session State of the site (IIS) to State Server (tcpip=localhost:42424)

    * Add session tags in the web.config () on both web application.

    When i press the button from web1 passing a value to session variable and access by web2, no value was retrieve…

    did i missed out something in my settings?

    your help is highly appreciated

    Thank you.

  15. ahmetmithat says:

    hello @ christine sarsonas, can you please paste your related part of the web.config file? do you see any error messages in application or system event logs (maybe mentioning that the state service is failed to start or cannot be reached, etc…).

  16. Arun says:

    Hi Ahmet, how to do this in IIS 6? Thanks!

  17. ahmetmithat says:

    @Arun – there is no such feature in IIS 6.0 but as that is .NET specific configuration, you can use the same machineKeys created in newer versions of IIS. Simply just create the keys in an IIS 7.x or onwards, then copy the related section to your application's config file, which runs on IIS 6.0. Hope that helps.

  18. Humayun says:

    hello, you described machine key for IIS server but how I will generate this key for live server? How I will get the key for my domain?

  19. Rakesh Patel says:

    I am facing same problem…

    I have set enableViewstateMac = false to the web.config file but no luck

    appreciate any help on this.