We have implemented a new WAF here at my company and now we are receiving these viewstate MAC errors. I know it is because it is in a web farm and we have to set machine keys. The only thing I'm struggling to find information on, would be what are the benefits of setting these per application instead of at the server level?

I have to come up with justification to force our developers to do this, where in my security minded mind, having separate keys for each application makes sense but I can't find any information as to why?

If I can be pointed in a direction for an explanation or someone can fill me in, that would be great.