Datasheet
The actual logic for generating and confirming the existence of the auto-generated machine key has
changed over various versions of ASP.NET and with the different process models for hosting ASP.NET
inside of IIS. Originally, when only Windows 2000 was available, the ASP.NET ISAPI extension would
always run as SYSTEM because in IIS5 (and for that matter IIS 5.1), ISAPI filters and extensions always
ran with the security credentials of the
inetinfo.exe process. As a result, for IIS 5 and IIS 5.1, the
ISAPI extension checks for the existence of the machine-generated key inside of the Local Security
Authority (LSA). Because SYSTEM is such a highly privileged account, the ISAPI extension could safely
generate and store the auto-generated machine key in the LSA.
However, with the process model in IIS6, ISAPI filters and extensions execute in a specific worker pro-
cess. By default, the
w3wp.exe worker process runs as NETWORK SERVICE, which has much fewer
privileges than SYSTEM. As a result, the approach of storing items in LSA no longer works because
NETWORK SERVICE does not have permission to read and write the LSA. Trust me when I say that this
is a good thing (the idea of having your web server happily stuffing secret keys into the LSA is a little bit
odd to say the least).
In IIS6, when running as NETWORK SERVICE the ASP.NET2.0 ISAPI extension will store and retrieve
the auto-generated machine key from the following location in the Registry:
HKU\SID\Software\Microsoft\ASP.NET\2.0.50727.0
The value for the security identifier (SID) will vary depending on the identity of the worker process
account. By default though when an IIS6 worker process runs as NETWORK SERVICE the SID will be
S-1-5-20. Underneath this key are three values:
❑ AutoGenKey — This is the auto-generated machine key that is used for encryption and valida-
tion by forms authentication and for viewstate.
❑ AutoGenKeyCreationTime — An encoded representation of the file time when the key was
generated.
❑ AutoGenKeyFormat — Indicates whether the auto-generated machine key was stored in an
encrypted form (1) or as cleartext (2).
The very first time the ISAPI extension attempts to retrieve the auto-generated machine key, ASP.NET
creates a random value, encrypts it using DPAPI (the extension uses the DPAPI user store), and stores
the resultant information under the HKCU key mentioned earlier. In Figure 1-7, the auto-generated
machine key information is stored in the user hive for NETWORK SERVICE. The SID
S-1-5-20 is the
common SID representation for NETWORK SERVICE.
However, the question arises as to how the ISAPI extension can obtain an auto-generated machine key if
the ASP.NET application is running as an account other than NETWORK SERVICE. For example, in IIS6
administrators commonly change the worker process identity to that of a local machine account or a
domain account. Also, some web applications will use the
<identity /> element to configure a specific
application impersonation identity.
20
Chapter 1
04_596985 ch01.qxp 12/14/05 7:46 PM Page 20