I recently encountered the following errors the event logs of our load balanced RD GW farm:

* Source: ASP.NET 2.0.50727.0
* Event Log: Application
* Type: Warning
* Event ID: 1309
* Event User: N/A
* Event code: 3005
Event message: An unhandled exception has occurred.
Stack trace: at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)
at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication. TSFormsAuthentication.ExtractInfoFromCookies(HttpContext objHttpContext)
at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication. TSFormsAuthentication.OnAuthenticateRequest(Object source, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web. HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

On the client side we saw the following error:


This error occurs when a active and authenticated session on the web portal gets failed over or load balanced to another RD web portal server. IIS uses an encryption key to encrypt the data, and a validation key to check if the encrypted data is valid (session id, etc). Since the standard setting in IIS is to automatically generate these keys at runtime. The keys are different each time and are different on each members server of the farm. Because of this the web server which gets the session is unable to decrypt and validate the session because it has different keys.


To be able to use the authentication across all member computers in a farm, all the member servers must use the same validation and encryption keys. (Don’t change these settings on a live production environment). The first step is to generate the keys. Open IIS manager and navigate to the server or application, double click on machine key.


Clear all the check boxes “Generate a unique key for each application” and “Automatically generate at runtime” for both validation and decryption keys.


And then click Generate Keys in the Actions pane, and apply.


Copy and paste these keys to the other members of the farm. All new sessions should use these new keys enabling load balancing or fail over between the members of the farm.

Funny thing is, that after I changed this on our servers, I encountered an error on the Microsoft forefront mail site https://sts.messaging.microsoft.com. I was logged on and didn’t do anything for a while. After clicking on a link I saw the following:


Could this be the same issue? It looks an awful lot like it. smiley-tongue-out

Categories: Remote Desktop