Omar AL Zabir, Many Variety of Posts (MVP)
Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution)
When you turn on web garden (multiple process per application pool) or go into multi server load balance deployment where servers are serving the same website, you will have Forms Authentication problem. Users will get automatically logged out or see the Yellow screen of death (ASP.NET error page) frequently. This happens because ASP.NET encrypts the login information in cookie. But the encryption key is unique for each machine and for each process. So, if one user hits Server #1 and gets an ecnrypted key, and then the next hit goes to Server #2, it will fail to decrypt the cookie and log user out or throw user the asp.net general error message.
In order to prevent this on your production server, you need to remember this before you go live:
The reasons for a forms auth ticket failing are normally that either the validation key or the decryption key are not in sync across all servers in a web farm. Another potential reason can be if both ASP.NET 1.1 and ASP.NET 2.0 applications are issuing forms auth tickets with the same domain and path.
For the first case, setting the validationKey and decryptionKey attributes explicitly on <machineKey /> on each web server will solve the problem.
For the second case, setting the validationKey and decryptionKey attributes explicitly in <machineKey /> for *both* the ASP.NET 1.1 and ASP.NET 2.0 applications is necessary. Additionally on the ASP.NET 2.0 apps, the “decryption” attribute in <machineKey /> should be set to “3DES”.
This is what I learned from Stephan Schackow (Microsoft Atlas team). Here’s how the machine.config should look like:
<system.web><processModel autoConfig="true"/> <machineKey validationKey="..." decryptionKey="..." validation="SHA1"/>
<machineKey> is the node that you need to introduce inside the <system.web> node if it does not exist.
Catch No 1:
How do you generate the machine key? You need to use a utility to produce the key for your PC. I have made a .exe which can generate such keys for you. Here’s how you run it:
SecurityKey.exe 24 64
It takes two parameters and these are the exact values you have to provide.
For super cautious IT guys like me, don’t worry, it’s a .NET 2.0 binary, no virus. Test the strength of your anti-virus software on this .exe if you like. If it can’t find any virus then either I’m smarter than you and have hidden a virus successfully or there’s no virus at all and I am not that smart as I sound like.
Catch No 2:
You have put the machine keys in both machine. Restarted IIS. Even restarted your server. But you still see lots of Event Log error entries which shows users are still getting the dreaded “Forms authentication failed for the request. Reason: The ticket supplied was invalid”. So, what did you do wrong? You call Microsoft support. Go to Forums and make post. Everyone says what you did is correct.
Here’s what you need to do: wait. Wait for 2 or 3 days until all those users come back to your website at least once. Those users will have cookie encrypted with previously assigned encryption key pair. Naturally, it will fail to decrypt with the new key pair you have just specified in machine.config. So, until all those users get a new key, you will keep on having the error message. Don’t be alarmed if you see this even after one week or month. This just means some user visited you after a long time and you are not doing much good in attracting users to your site. So, if you see such event log entries after a week or two, call you marketing team and ask what kind of marketing they are doing.
It would be really good if there was something like “Checklist for Going Live with ASP.NET” which stated all these issues.