Automatic machine key generation in ASP.NET

By default, the machine key setting is auto generate and per application (AutoGenerate,IsolateApps)开发者_如何转开发. MSDN states that the decryption key and validation key is based on web application id. I am hosting two ASP.NET MVC 2 sites on my IIS 7 server but found out that the machine key are the same. I verified this by using reflection to see the ValidationKeyInternal and DecryptionKeyInternal property. I also tested it by generating an anti forgery token cookie on one site and pass it to the other and the cookie can be read.

After trial and error, I found the key will change if the application pool identity changes. The two sites have the same keys because they are running under network service credential. Once I change the application pool identity of one site, they begin to have different validation/encryption keys.

However, after I deploy the two sites to another server, I always get the same machine keys even after changing application pool identity. The two servers have the same hardware and software configuration.

I would like to know if there is reference for the actual logic of how the machine key is generated under AutoGenerate,IsolateApps setting. On the web, there are a lot of articles talking about setting the same machine key in a web farm scenario. But I encountered a problem on the opposite side. The per web application auto key generation does not seem to work properly. Is there anyone who has the same problem before?

Do you have a web.config setting that may be overriding the IIS setting? That could be a factor in this as if you are telling the servers to use specific keys then they may do just that.