AppPool crash when using persistent encrypted forms authentication cookies
In an ASP.NET 2.0 website created for a customer, I've run into a strange problem: the app-pool crashes every now and then. There's no errormessage in the eventlog and the logging-mechanism in the website doesn't get a chance to log the problem, because of the app-pool crash. All I could find were messages in the eventlog stating "Forms authentication failed for the request. Reason: The ticket supplied was invalid.".
I've been looking into this problem for quite some time and there's not much information on this topic. All I found was that it has something to do with the encryption and validation of the authentication ticket. Keys used in that proces can be configured using the <machineKey>-element in the web.config and must be the same on all webservers in a webfarm. Different keys on different servers would cause this same error, which is pretty obvious.
However, we don't use a webfarm or load balanced scenario. It's just a single app on a single box, without any custom configured machine keys. But that where the problem is: by default the machine keys are autogenerated (<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="Auto" />). On app-start the keys are autogenerated and stored in the registry under a subkey for the identity of the application-pool. This also means that the identity of the application-pool must have access to this key, so that it can be retrieved whenever needed. The identity I use for the application pool is a domain-account which I added to the local group IIS_WPG. I didn't check anything else, since everything appeared to work fine. However, it turns out more configuration is needed for the identity.
To easily configure the account, you can use "aspnet_regiis -ga <identity>". It grants the account the correct policy's, adds it to IIS_WPG, etc.
When using preconfigured keys (thus not using AutoGenerate), you probably don't run into this issue.
You can read more in this article by Kevin Kenny!
-Robert te Kaat-