I have an old SOAP web service deployed on multiple servers that uses ASP.Net Membership to authenticate users. It's been working reliably for years, but I was intrigued to see in various places that a machine key containing validation and decryption keys should be placed on each instance of the web service. In IIS 7 Manager, an easy option to create a <machinekey> element is available when double-clicking the "Machine Key" icon for a website. In there, it mentions "If your server is part of a Web farm, specify validation and decryption keys".
However, as far as I can tell, no machinekey element is - or ever has been - present in the SOAP web service. Given that it works reliably, this leads me to think that the above advice is not relevant. Is this correct?
The app is using hashed passwords:
<membership defaultProvider="AspNetSqlProvider" userIsOnlineTimeWindow="15"><providers><clear/><add name="AspNetSqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="MembershipSqlConnection" applicationName="NameOfMyApp" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="20" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10"/></providers></membership>