The encryption method can be set in the web.config file for a site, in IIS 7 for a Web server, or in the config file for .NET on a server in %SYSTEMROOT%\Microsoft.NET\Framework\version\CONFIG\. On 64-bit systems, it must also be set in %SYSTEMROOT%\Microsoft.NET\Framework64\version\CONFIG\. A typical entry would look like this:
<machinekey decryption="3DES" decryptionkey="AutoGenerate,IsolateApps" validation="3DES" validationkey="AutoGenerate,IsolateApps">On a Web farm, this setting will have to be made on all the servers in the farm.
Reference and to read more from Security Hack Exposes Forms Authentication in ASP.NET [Visual Studio Magazine]