I didn't realize you were encrypting the querystring on the browser, but yes, that is what it means. DPAPI is a great solution for encrypting sensitive things like database connection strings, admin usernames or passwords, etc. However, as you can see, it will not work well anytime the actual encrypted string is passed around to different machines (on the web farm here). Perhaps you can try using another encryption algorithm (symmetric) for the querystrings?