A "Validation of viewstate MAC failed" Error Occurs When Logging In To Web Access 9 After Installing Windows Updates 2894854, 2894855, or 2894856.

October 14, 2015 | KB: 1013541

https://support.laserfiche.com/kb/1013541/a-validation-of-viewstate-mac-failed-error-occurs-when-logging-in-to-web-access-9-after-installing-windows-updates-2894854-2894855-or-2894856-

Web Access 9

After installing Microsoft Security Updates 2894854, 2894855, or 2894856, attempting to log in to Web Access may result in the following ASP.NET error:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

The stack trace may look similar to the following:

[ViewStateException: Invalid viewstate.
Client IP: ::1
Port: 12345
Referer: http://localhost/laserfiche/
Path: /laserfiche/Login.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
ViewState: /wEPDwUKMTgxMTI4NjM5MQ8WBh4OUm...]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.]
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +12168068
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose) +12060267
System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose) +67
System.Web.UI.HiddenFieldPageStatePersister.Load() +12060475
System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +12315765
System.Web.UI.Page.LoadAllState() +51
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +12308619
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +12308137
System.Web.UI.Page.ProcessRequest() +119
System.Web.UI.Page.ProcessRequest(HttpContext context) +99
ASP.login_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\laserfiche\cb19cd8f\cc932038\App_Web_dw0scjjz.12.cs:0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +913
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

This issue is resolved in Web Access 9.1.1 Service Pack 2 and later. Please upgrade to the latest version of Web Access.

An updated .NET security feature may conflict with an existing Web Access feature where both features attempt to resolve the same type of security vulnerability.

As a temporary workaround, disable the following Web Access feature:

Open the WebAccessConfig.xml file. By default, this file will be located at C:\Program Files\Laserfiche\Web Access\Web Files\Config.
Add the following element within the <WebAccessConfiguration> section:
<EnableViewStateKey Value="False" />
Save and close the WebAccessConfig.xml file.

For more information on the .NET Framework updates, please see the following Microsoft Knowledge Base articles:

http://support.microsoft.com/kb/2905247

http://support.microsoft.com/kb/2915218