"Validation of viewstate MAC failed" with Kentico 7.0 and IIS 7.5

The Situation:

We have 2 Webserver IIS7.5 which run loadbalanced (Software, standard install) framework 4.5 installed

We have a Kentico 7.0 Installation running on both Server.

The Problem:

The Site load normal, but when i change to the CMSDesk and try to login(with IE8), i get the Error Message(very fast not, even a second):

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. 

Eventlog

Event code: 4009 
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check. 

with Chrome 27+ it takes about 3-4 Seconds but the CMSDesk appears (only sometimes the error appears, i can't say when ?!). That's why i can exclude a IE8 Problem

Now it gets really spooky, even if i take on Server out of the Loadbalancer!

What i have tried: (All this experiments i tried in various combinations)

0) googled like crazy, recycled the apppool and clear the cache. BASICS

1) Set the machinekey element in the

machine.config's (rebooted the servers afterwards)
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\config\machine.config
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\config\machine.config
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\config\machine.config

Example Code (in all Files the SAME KEYS)
<system.web>
  <machineKey validationKey="EEF33150A048D162D22CB36E1CB9956B148C7A4E6999D0F05B53D416D7A16F83823DD626F501DD3549D3E5DCB473634739D0AD9A07F71560946498C943A7586D"
    decryptionKey="0E95F75864047EB6322EA7D5246F2C1175D77A1B016F293C3BAAD000299A3DC8"
    validation="SHA1"
    decryption="AES" />
</system.web>

Result: same Error

2) i even set it in the webconfig (just to be sure).

Result: same Error

3) i set the attribute enableViewStateMac on the pages-element in the Web.config to false (just to see if it works, i am not a fan of security holes)

Result: no Error, but i stayed on the Login page. and on the kentico-event-log there was a successful auth message. hmm?! So, i turned it back to true, to be SAFE;-) The other Securityhole solutions like auth never and so on i didn't even try, since it should be a save page.

4) i checked if the page really loaded completly (since in some Forum's it was stated, that if the page is not completly load it could break the viewstate and the validation wouldnt work)

Result: same Error

5) i tried the "Unsafe" Kentico Workaround, Setting a Attribute in the web.config / settings section

    <add key="CMSUseViewStateUserKey" value="false"/>

Result: Same as by Number 3

6) i even looked into the "lookahead downloader bug in IE8", but this should be fixed with KB980182 and i have installed (Yes i am grabbing for straws now)

JUST LOOKED

7) the ViewState doesnt seem too long, due to the fact that it is only a login form

JUST LOOKED

8) Called the one Server directly without the cluster IP-Adress

Result: It Works. (YEY)

-> All this information is somewhat confusing for me and how do i get the Cluster to work?

*) Chrome works 90 - 99% with the Cluster / with on Server in the Cluster / on Server directly

*) IE 8 doesn't works with the Cluster

*) IE 8 doesn't works with the Cluster with only one server

*) IE 8 works directly on the Server

Conlusion so far:

*) It could be an IE8 Bug

*) It could be something with the loadbalancing, Cluster or the Domainname (i think).

*) I must discard the Chrome/ Error due to the fact that at present i cant reproduce anymore

*) due to Point 3 It Must be something With the MAC feature (http://support.microsoft.com/)

I would be thankful for any input / pointer /...

P.s.: please don't be hard on me this is my first question.


Solution 1:

I think i found the solution(i can real test it on Monday, when the colleagues from the Server-Team, are back). YEY

In an act of desperation i, analysed the http-traffic of both IE and Chrome and found out the the set-cookie Request is never set. After tampering with the http-traffic and injecting the cookie myself. The Page loaded normal. -> the cause was really the internet explorer.

So after some more google-ing i found out, that it seems like, that the fqdn which pointed to the loadbalancer had an invalid Charakter(an underscore), and IE8 discards the cookie in case of an invalid fqdn. (i found this information here, it states the same issue for the IE 9, but the symptoms match)

Funny that Firefox, Chrome, ... seem to accept "invalid" fqdn

So the Problem is solved. After a test on Monday with the Server-Crew i will post/comment the result. (just, share all parts of the solution and results)

Update: Checked with the guys, this was the Problem/Solution

Solution 2:

Are the Kentico instances set into the Web farm synchronization so they know about each other and all the things including cache and viewstate are synchronized?