Support Portal ContactGet in touch

How do we fix the ‘Validation of Viewstate MAC failed’ error

   Words by CRM Consultancy

   on 12/04/2016 14:08:17

Many ASP.Net Websites use Viewstate to exchange the state of controls on a Page between the Client and the Server, as this works to build web applications that retain the concept of state-fullness or the user’s current page-state between Postbacks into what is the fundamental stateless nature of the web.


Viewstate is then posted back from the client to the server within the body of the page, employing a simple hidden <input> tag to transmit the block of ViewState detail back from the Client to the Server, which the Server then processes to build the Page Appearance and transmit back to the client – this fits into the traditional Request (from client) and Response (back from the server) view of the world that HTML and Web Frameworks typically operate from.


<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="MyViewState" />


However where we see ‘MyViewState’ in the above HTML code, this will instead be a long series of Hexdecimal Characters that describe the ViewState being posted from the Client to the Server.  For performance and security this block of characters is hash encrypted and hence the real viewstate that ASP.NET uses is translated into this block of (seemingly meaningless) characters – however this allows ASP.NET to encrypt and decrypt this block into the real Viewstate using a particular Encryption Key.


By default ASP.NET will generate this Encryption Key between the Client and Server upon each request so the communication follows a secure path.


However in a scenario where we are using multiple Web Servers or a Web Farm, this can lead to the following error:




This is due to the way that the View State may be being generated against one Web Server using a particular Encryption Key and then reposted to a different Web Server that is using a separate and different Encryption Key – leading to an error between the two different Encryption Keys as the key in use at the Client may not match the Key at the Server in this Load Balancing arrangement.


In effect, giving us the following scenario:

1.       User accesses Webpage via Web Server A – receives Encryption Key from A

2.       User posts back Webpage to Web Server A – with Web Server A validating the Encryption Key correctly – no error to the user

3.       User posts back the Webpage again, and the Load Balancing / Web Farm directs the Request to Web Server B instead – Web Server B then tries to decrypt the Viewstate using it’s own Encryption Key, finds the difference between Key A and Key B and so throws this error – user is then presented with the error


The resolution to this is similar to ensuring Session State is consistent when using Load Balancers and Web Farms – ensuring that a common Encryption Key exists between both Servers A and B, giving us a single key that both A and B use to manage Viewstate to make which Server the User is requesting from irrelevant.


How do we do this?

To put this common key in place, we need to run through two steps:


1.       Generate the Key – we access Powershell on the selected Server and run the following command:



                This will generate a new Encryption Key in the form that can be used in our Web Application.

                                <machineKey decryption="AES" decryptionKey="ABC" validation="SHA1" validationKey="DEF" />


2.       Insert this key into our Web Application – we then need to access the Web.Config on each of our Load Balanced Web Servers and add the <machineKey> tag into the configuration under the <system.web> section:



<machineKey decryption="AES" decryptionKey="ABC" validation="SHA1" validationKey="DEF" />


                The key here being to ensure that each Server is using the same ‘decryptionKey’ and ‘encryptionKey’ as generated by the Powershell.


With these two steps in place, the Web Servers should share the same Encryption Key for Viewstate and so this error should no longer occur.


Further Reading

This encryption of ViewState is a common part of the ASP.Net Framework and so have many articles and useful reading across the web, particularly from Microsoft and MSDN.  The links below give a more detailed set of information on this topic.

Resolving View State Message Authentication Code (MAC) errors

Machine Key Element in ASP.NET

Generating your Machine Key from IIS 7

Share this Article

Search Articles

Filter Articles

CRM Tech DocMan

Recent Articles

CRMCS Quick Start Guide: How To Produce a Microsoft Teams Live Event Dynamics 365 Marketing: Lead Scoring and Sales Acceptance Designing and Developing Microsoft Power Apps Portals Thank You for Attending CRMCS’ Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Thank You for Attending Our Webinar - Achieving B2B sales excellence with Dynamics 365 & Microsoft Teams Webinar: Discover How CRMCS Have United Dynamics 365, SharePoint and Microsoft Teams To Create Sales Excellence Ignite your workflow by adding DocDrive365 to Office 365 The CRMCS guide to everything you need to know about integrating Teams with Dynamics 365 Saving Time By Keeping Documents In One Place TDE Database Encryption with On Premise Dynamics The Key to Successful Compliance in 2020 Part 2: Let’s get GDPR Compliant with Microsoft Power Automate Top 3 Essential Tips for Remote Working Dynamics 365 Marketing: Top 5 Best Features Dynamics Day in the Life - Puma Investments Can you use Teams to amplify collaboration in Dynamics? Part 1: Using a Scheduled Power Automate to Trigger Expiry Date Reminders The secrets of successful document collaboration in Dynamics CRMCS launches new AppSource approved DocDrive365 Dynamics Day in the Life - Moneypenny Release Management Add the App to Dynamics DocDrive365 Security: Day One - Getting Started with Dynamics to SharePoint Permissions Building a New Scheduled Process using Flow
  • "Paul has made a real difference to how my team of 24 people record and store valuable customer data and sales opportunities. Highly recommended."

    James, Operations Director

  • "Understanding your business allows us to advise when to implement aspects of CRM and, likewise, when not to."

    Paul McQuillan, Managing Director

  • "Dynamics 365 and CRMCS have made a real lasting difference to our business, allowing us to replace older systems that were holding back our performance."

    Grahame, Chief Operating Officer

  • "James worked well with us to help connect CRM with Outlook and relate how this might benefit our team using CRM for Property Care."

    Natalie, Property Care Supervisor

  • "Matt was really good with helping us run User Testing on the new Compliance Module of our CRM System."

    Tom, Compliance Administrator

Prefer to go old-school?

Write to us using the below addresses.

Head Office
CRM Consultancy
61 Oxford Street
M1 6EQ

London Office
CRM Consultancy London
Grosvenor Avenue

Content © CRM Consultancy.