Saturday, August 3, 2013

How To Solve The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. Error In Asp.Net MVC!


The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Isn't that a beautiful error? Recently, while working on a website I created in Asp.Net MVC 4, I got this error. How you ask? I'm so glad you asked! The website is hosted right now and I am developing it on my local development machine and pushing the changes to the actual website. From time to time, I leave my computer and leave the website up. There have been times when I was logged into the website, walked away, came back after the session timed out and clicked on a link on the site only to have the site route me to the sign in page. That is the expected behavior. What isn't expected, is that when I try to sign in I get this beautiful error -

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Now WHY do I think this is a beautiful error? Well unlike some errors you get while developing, this error actually means EXACTLY what it says! I am using the Antiforgery token system in Mvc. You call that using this syntax @Html.Antiforgery(). When you use this system straight out of the box, the encryption and validation keys are auto-generated at runtime for you. That is great - until the session terminates. At that point, the system loses a reference to those auto-generated keys. Then, when you are kicked out of the system and have to come back, it still has a reference to the old keys, but those are not usable anymore - since the system generated new ones for your new session. All of a sudden, the new one the system generated and the old one your page is referencing are not in sync and you get the error.

So what can you do? The answer is simple - follow directions and generate the keys in your web.config file! Add the following to your site's web.config file.

<configuration>
  <system.web>
    <machineKey decryptionKey="Decryption key goes here, IsolateApps"
                validationKey="Validation key goes here, IsolateApps" />
  </system.web>
</configuration>
You can generate keys by going into IIS and clicking on Machine Key - if you have the right version and IIS features installed. You will not see Machine Key if you don't. If you don't, you can go to the Control Panel and install additional IIS features. Then, paste those keys into the code above. That will allow the Antiforgery system to work off of those instead of autogenerating.

Problem solved!
I just love it when a plan comes together! Don't you?

Smooches,

Kila Morton
 

18 comments:

Ikram Awan said...

I put a machine key in both of my project's web.config files and I already checked that there is no multiple @Html.AntiForgeryToken() . I have two projects developed in Asp.Net 4, when deployed locally give me fallowing error on first attempt and there is no problem on second time. I also delete the cookies and browsing history, just to make sure but same result. you can check my question on stackoverflow http://stackoverflow.com/questions/20655931/on-initial-login-on-local-site-getting-anti-forgery-cookie-token-error-when-try

Any idea????

Kila Morton said...

Hi Ikram!
You said that you already checked that there are NOT multiple @Html.AntiForgeryToken() references, but I'm not convinced. So let me ask you something.
Do you have ANY Partials being referenced in your view? Did you check those partials to see if you included the AntiForgeryTokens in them? If you want real help, post another comment. You and I can converse and use some tool to allow you to show me your code. I could be wrong, but it sounds like you have a second token somewhere.

Paulo Costa said...

Thanks a lot, you solved my problem

kevin said...

Thanks a lot, I had @Html.AntiForgeryToken() in my partial view and it made repeating the key. Once remeoved, problem solved.

Kevin Ross said...

Hello Kila Morton,

After adding your given code in web.config file my site website gives me error.

Anand Pawar said...

Many Thanks.It solved my problem and i'll aware of this problem as you explained the solution very clearly.
Thanks

Phillip Spring said...

marry me. now.

Doremon said...

Thanks for the post! Great tip!

otherwitter said...

Hi guy, it's not work for me :(
I put the machine key on my web.config, and run my application.. but, the same error is displayed when i'll login on the site...

I created a topic on msdn (pt-br), if you can see, or ask me here what i need to do, i'll be very great, tks

http://social.msdn.microsoft.com/Forums/pt-BR/0e4b8427-fc3e-4f2b-b782-d60ea3d2b7f7/the-antiforgery-token-could-not-be-decrypted-erro-aparece-com-machine-key-no-webconfig-?forum=mvcpt

Anonymous said...

Thanks a lot guys ...

Gururaj said...

kila mortan thanksssssssss....

Richard Price said...

Just wanted to say thanks - this solved my problem (almost)! Very helpful :-)

When I generated the Hex code, I received an error "Decryption key specified has invalid hex characters". I fixed this by removing ",IsolateApps" from the string. More info here: http://stackoverflow.com/questions/15002960/isolateapps-causes-decryption-key-specified-has-invalid-hex-characters

Maithree Duggirala said...

I put the machine key in the web.config at the .NET installation folder at C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config and removed the key in the solutions.Should this not mean that the same key is used across the apps in the server.But I am still getting this error.What could be the reason.

Joseph said...

Great, in my case, remove ",IsolateApps" from both keys to avoid a web.config compilation error

kongponleu88 said...


Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
โกเด้นสล็อต

raybanoutlet001 said...

michael kors outlet online
ugg boots
ray ban sunglasses outlet
michael kors outlet
green bay packers jerseys
michael kors handbags
mont blanc outlet
boston celtics jersey
jordan shoes
snapbacks wholesale

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
right away...

(VIDEO) Text Your Ex Back?

raybanoutlet001 said...

uggs outlet
chicago bulls
christian louboutin outlet
hermes belts
ray ban sunglasses
michael kors outlet
coach outlet online
michael kors handbags
christian louboutin sale
nike air jordan