MachineKey in web.config going out of sync between two IIS applications

Question

We've got an ASP.NET 4.5 WebAPI service that is hosted on two seperate AWS instances that are behind a load balancer. Both of these machines have a standard system.web configuration section containing the machineKey element with both the decryption and validation keys and algorithms set. The web.configs on both machines are identical:

<system.web>
    ...
    <machineKey decryption="AES" decryptionKey="..." validation="SHA1" validationKey="..." />
    ...
</system.web>

These keys are used by the OAuth middleware to decrypt/validate bearer tokens in requests.

Everything has been working absolutely fine for the last two years, but in the last month, requests going to the second web box have been failing because the OAuth bearer token appears to be invalid.

If we only run one 'leg' of the web balancer at once, everything is fine, no matter which leg handles all requests. But if both are running, requests to the second box fail. This is odd as there have been no code changes, and no environmental changes we are aware of, either to the web boxes or the load balancer.

It all suggests that both machines are using different machine keys, even though they are both hard-coded in the web.config.

Is there some way that the machine key is overridden somehow? Are there any other explanations for what might be going wrong?

Answer 1

Check the system clock on both AWS instances match. I seem to recall this happening to me a few years ago.