If you have an ASP.NET based Service deployed on Windows Azure and use machinekey based authentication to perform form based authentication or have any other security mechanism in your service based on machine key then this entry is important for your to read and understand. If you are going to create a new ASP.NET based Web Role using Cloud SDK 1.3 then this blog entry is not applicable to you.

 

After your upgrade your ASP.NET Web Role based on Widnows Azure SDK 1.2 to Windows Azure SDK 1.3 based ASP.NET Web Role, you may noticed forms authentication  exceptions showing up in your logs and existed users could not log in to your site. You will get a few different kind of exceptions as below:

Exception 1:

System.Web.HttpException (0x80004005): Unable to validate data.

             at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(

Exception 2:

Forms authentication failed for the request. Reason: The ticket supplied was invalid.

These exception may occurred on every page, even when serving requests for static content like .jpg or .js files.

 

When you look you Web Role deeply you will see that:

  1. The machinekey values were changed from the previous 1.2 deployment
  2. Web.config file in e:\approot had different machine key than the one in E:\approot\_WASR_\0.
  3. After deployment previously hard-coded machine key values in web.config are overwritten with new values  

 

This problem could occur if you have one or more following functionality in your Web Role:

  1. You are using membership provider to use machine keys to hash user passwords and store them in the DB. 
  2. Because machine key has been value changed from Windows Azure SDK 1.2 to Windows Azure SDK 1.3 existing customer would not be able to validate any passwords or cookies

 Solution:

To solve this problem, please write a set of static key values for machinekey element in the start up of your code. This way you can keep your initial machine key (Based on 1.2)value active in 1.3 based project and all of you authentication scheme will work as expected. Please also study the following blog from Windows Azure Team on this regard:

http://blogs.msdn.com/b/windowsazure/archive/2010/12/08/specifying-machine-keys-with-windows-azure-sdk-1-3.aspx