How to synchronize machine keys in AWS EC2?

StackOverflow https://stackoverflow.com/questions/12752717

Question

Since Auto-Scaling doesn't allow buffer period and/or is not intelligent enough to NOT allow only "new requests" coming in to the instance which is scheduled to be turned off due to down-autoscaling, I am trying to avoid using sticky-sessions provided by the ELB. Otherwise this behavior will leave some of customers with a log-in screen.

The website and other RESTful webservices are running in IIS7. The website is using classic forms based authentication (built-in membership provider in MVC3), but will soon migrate to custom membership provider to look at the cookie and decrypt and then give the verdict. The RESTful webservices are already using Custom Membership Providers.

In this situation, I think for the website I cannot get by without using sticky sessions via its ELB.

The ELB of RESTful webservices can be configured for non-sticky since they individually observe the cookie on every request to see if the auth token exists with some encrypted value. However, the problem here are the methods FormsAuthentication.Enrypt and FormsAuthentication.Decrypt, they use MachineKeys under the hood. RIGHT ?! If not, then its not problem, but if they do then how to synchronize machine keys across autoscaled instances in EC2 ?

Was it helpful?

Solution

Since the recommended website seem to have been hacked (http://aspnetresources.com/tools/machineKey), I would recommend using the following procedure instead:

  1. Open IIS Manager
  2. Select the website you are managing
  3. In the ASP.NET section, choose Machine Key (read below if you don't see this section)
  4. Uncheck Automatically generate at runtime and Generate unique keys for each application
  5. Click on Generate Keysin the Actions menu then click Apply
  6. Open your web.config and copy the <machineKey> tag to your other web servers in your web farm so that they all use the same machineKey

Plus, you won't have any website logging your IP address and generated machine keys (if we are being cynical).

If you don't have an ASP.NET section in your IIS Manager, you can use the following procedure to enable it (from https://serverfault.com/questions/129714/asp-net-area-in-iis-7-on-windows-2008):

In Windows 7, you can enable ASP.NET from Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off. Expand Internet Information Services -> World Wide Web Services -> Application Development Features and click ASP.NET.

In Windows Server 2008, Open Server Manager -> click Roles -> click Add Roles -> select Web Server (IIS) -> in Role Services click ASP.NET it will prompt for necessary dependent Roles Services click Add Required Role Services.

OTHER TIPS

A best practice for this is to generate a machine key and put in your web.config file. That way as auto scaling starts and stops instances the key will always be constant and not dependent on the actual instance.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top