Getting current MachineKey, or equivilent, for HMAC (in web-farm)

Matthew picture Matthew · Jan 3, 2013 · Viewed 8.4k times · Source

I am using HMACSHA256 for message authentication in a web-farm environment.

Within the web-farm each machine has the same machine key, so the ViewState will work across machines, however, I need to do HMAC message authentication which will work across machines, so I figured that since all machines use the same machine key, there should be a way to derive a key from that to use as the HMAC key.

I notice that as of .NET 4.0 there is the MachineKey class, however, I am stuck with using .NET 3.5, and this is unavailable to me.

Is there a way to get some sort key that is the same on all machines without generating my own, for use in an ASP.NET 3.5 environment?

Edit

I don't actually need the machine key itself, just the validation key that is derived from the machine key (or equivalent).

Answer

TGlatzer picture TGlatzer · Jan 3, 2013

You can read the machine key from the web.config. This link shows how to do so: http://aspnetresources.com/blog/how_to_read_auto_generated_machinekey

Keep in mind, that the author of the article reads the generated machine key - so you have to do some changes in the code.

I just read the article a little bit more and saw, that it uses reflection, which isn't neccessary, if you store the machine key inside the web.config. Essentially it breaks down to this line:

MachineKeySection section = (MachineKeySection) 
  ConfigurationManager.GetSection ("system.web/machineKey");