Forms authentication across apps - missing something basic?

[Geoff Pennington]

I have two applications running on the same server. The URL for one is
http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently the
login and authentication is handled by each application, but we want to use
one login screen that will handle authentication for both apps. We have
created a new application at http://mydomain/sharedApp/ for this purpose.

There are a lot of samples on the internet showing how to set up the
web.config and it looks like a simple thing to do. But when I try using the
shared login (http://mydomain/sharedApp/login.aspx ) I get to the point in
my code (login.aspx.vb) where it has the Redirect to the home page of the
requested application, and then I get a system generated popup asking for an
ID and password. Entering either my network credentials (should not be
necessary, I am already logged onto the network) or my application defined
credentials does not help. I end with a big ugly "Access denied" screen.

Following the examples I have found, I placed the following in the
web.config of each application:
<authentication mode="Forms">
<forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
protection="All" timeout="180" path="/"/>
</authentication>

<machineKey
validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCAA286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
validation='SHA1' />

I got the validation and decryption keys from a utility at
http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx

Might that be the problem?

I've been spinning my wheels on this for several days and it doesn't look
like it should be this hard. Any ideas?

Much obliged.

 

[Martin de Jong]

The new application folder needs ACL rights. User ASPNET and the webuser
need read rights.

 

[Geoff Pennington]

Thanks, I'll take that up with my system administrator.

 

[Geoff Pennington]

I added read rights for the ASPNet account and for the IUSR_WebDev (I
believe WebDev is the server name) . It made no difference. Is IUSR_WebDev
the "webuser" account you meant?

Much obliged.

 

[Paul Glavich [MVP ASP.NET]]

So to clear my understanding, both app1 and app2 are virtual directories, as
is the new 'sharedapp'
which you want to use to control login for those 2 sites. If that is
correct, and you are using forms auth for all these sites, you will need to
provide the validation and decryption key for 'each' application as wel as
ensure that the cookie name is the same for all the apps. This way, when an
auth cookie is encypted and sent as a response to the auth request, it can
be decrypted and accessed by the 'recipient' site, whether that be 'app1' or
'app2'. Alternatively, you can put the validation and decryption key
explicitly in the machine.config which means it will be consistent across
all applications.

By default, you will have something like decryptionKey="AutoGenerate,
IsolateApp" which auto-generates the decryption key for each and every
application on the box. Having it only in one application is not enough.

Hopefully, I have your scenario correct.

 

[Geoff Pennington]

Paul -
I believe you have the scenario correct. The validation and decryption keys
are set to the same value in the web.config of each app (as per my original
post). I used a "cut and paste" to make sure they were the same. I am at a
loss to know why doing so does not work for me.

I have not tried placing the keys in machine.config.

Much obliged,
Geoff.

 

[Paul Glavich [MVP ASP.NET]]

I guess you have the cookie name and path identical in each apps web.config
too.

Try the putting the decryptionKey explicitly in the machine.config and
remove the web.config entries to see if that makes a difference. You may
have to write some code to allow some tracing and debugging to be done.

In the Application_Authenticate request event within the Global.asax.cs
file, iterate through any cookies you have in 'app1' and 'app2' to see if
the cookie is making it that far, and then manually try and decrypt it using
FormsAuthentication.Decrypt to see if that is successfull (if you get a
matching cookie).

I also assume Anonymous auth has been enabled via IIS settings for all
applications/virtual directories and no file specific settings have been
applied.

Re-reading your post, its a system popup like the standard network
credential popup when you have an unauthenticated windows uer requesting
access which is not something forms auth will generate and the error may not
be with the forms authentication part at all.

Failing all that, I would start "removing" authentication piece by piece
from the configuration of the IIS vdir and the web.config until the prompt
dis-appeared. This would then point at the specific piece that is causing
this credential prompt.

For example, if you revert to having each app authenticate via forms auth on
its own site (not via the shared app), this prompt never appears? (On those
same servers of-course).

Do all the web apps (shared, app1 and app2) exist in the same app pool?

--
- Paul Glavich
MVP ASP.NET
http://weblogs.asp.net/pglavich
ASPInsiders member - http://www.aspinsiders.com