Hi folks,

We've got a pair of IIS web servers (Windows Server 2019) with explicit encryption and validation machine keys configured; identical date/time, IIS modules, app pool user names and asp.net version and load balanced by an HA.

The applications running on these servers have the keys configured in the web.config files in <system.web><machineKey decryptionKey=... validationKey=... validation="SHA1" decryption="AES", @Html.AntiForgeryToken() in the form to generate the input and then [ValidateAntiForgeryToken] attribute on the POST action - all pretty standard stuff.

The applications all work when served from a single web server but as soon as we bring both servers into the active pool we start observing "The anti-forgery token could not be decrypted..." exceptions in our logs.

Is there something that we're missing?

Thanks for contacting us.
What seems to be happening here is that the antiforgery token is being generated by one machine and a subsequent request is being handled by a different machine, which is not able to decrypt / validate the earlier generated token. Hence the failure.

One pattern used in these situations is to have the load balancer to redirect the requests from the same user to the same server which served it first. Having said that, we think learning more about how to configure this with your setup is a good question to ask on the StackOverflow forum.