Invalid ViewState Error – Validation of ViewState MAC failed

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.


In above exception viewstate is not getting validated/authenticated by the server. This happens when encryption key used for encrypting viewstate does not match on different servers in the web farm.
When we deploy an web application into a web farm environment, each web servers machine.config or web.config must specify the same key used for encrypting the view state. As view state is encrypted for security reasons and each machine.config on each web server will have a different key so they must all be the same. If they are different then viewstate created by one server will not be understood by other server and hence the above error.
Instead of editing machine.config file which may affect other applications running on the same server.
Best way is to add a machineKey element into each of the web server’s web.config and define the same keys and algorithm.
The machineKey goes under the System.web node. for e.g.
<machineKey validation=”SHA1″ validationKey=”A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4 E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1B2C3D4E5″
decryption=”Auto” decryptionKey=”A1B2C3D4E5F6F6E5D4C3B2A1A1B2C3D4E5F6F6E5D4C3B2A1″ />
for machinekey setting parameters you can refer

There are few more reasons why this error may occure, Like while trouble shooting –

1. Please check Application Pool Recycling settings in the IIS, IIS keeps on recycling the application pool to maintain the applications health. During this recycling process requests from the client may get into invalid viewstate situation.The fix in this case is to adjust the settings on the application pools so that recycling is less likely to occur at peak periods
2. Any Antivirus software or firewall settings may diesect the viewstate, creating difficulty for sever to validate the viewstate.
3. Improper Form Posts- Viewstate can only be posted back to the same page.  Attempting to post an aspx form to another page will fail with a viewstate invalid exception. This behavior is by design and obvious.
Some developers choose to disable the encryption of viewstate(ViewStateEncryptionMode =ViewStateEncryptionMode.Never) which is bad design, encryption is required so that no one should tamper the view state.