ASPNET Authentication with Multiple servers - asp.net

I have an ASP.net 4.5.2 app using the token authentication and authorization. This works as expected.
However, I now want to use two servers. So the user could get switched from one server to the other. The issue with this is that when the user is switched, the new server sends a 401 Unauthorized response until the user log in again.
Is there a way to make both servers accept the token?
The main purpose of this is for failover. If server 1 goes down, I can route the traffic to the second one. I have tested this and it works, except the user is forced to log in again.

The machine key must be the same for all servers serving the app.
Here is how to create the machine key in IIS.
Then copy that same key to the other servers.

Related

OpenIdDict Multiple authorization servers can't decode the same access token

I'm working with a client that has a very strange network setup. Basically, they have multiple small segmented networks with their own clusters of servers because of several acquisitions, mergers, etc. It's a nightmare.
I've setup the authorization servers correctly and they're all running the same code but when I try to take my laptop from location to the other, I get logged out and have to log back in again. A lot of the employees travel between sites so getting logged out all the time is causing some grumbles.
The each instance of the APIs and Authorization servers are able to use the same database, but each site has it's own Authorization and Resource server.
What I've noticed is this:
If I stay in one place, my access/refresh token setup works great with no problems
If a travel to another site, the new sites authority server doesn't seem to be able to validate the access token and logs me out
There is one site with a load balancer that will log me out randomly as well as if I'm traveling between sites.
The app is built on .NET Core 2.2 and OpenIDDict 2.0. For budgetary reasons, upgrading either is not an option.
Is there anyway to configure a shared certificate or key so that all of the servers can decode the access tokens? Basically multiple authorization servers able to decode the access tokens generated by any of the other authorization servers?
I was able to figure it out. I had to change this:
services.AddDataProtection()
.PersistKeysToDbContext<DbContext>();
to this:
services.AddDataProtection()
.SetApplicationName("appName")
.ProtectKeysWithCertificate(MyX509Certificate2)
.PersistKeysToDbContext<DbContext>();

Identity Server 4 behind Load balancer giving unauthorized exception

I have setup Identity server 4 for one of my project using .net core as web api and angular as front-end technology. I have two servers (SRV1 and SRV2) where i hosted Identity server and they are under load balancer.
If I stop the one of the identity hosted server and do authentication, it works perfectly fine either or. But when I enabled both the server and generate token from first call that does not authenticate on another server.
To confirm it, I shut off one server (i.e. SRV1) and made authentication call to another server (ie SRV2) through load balancer and it returned me valid Token. when i used this generated token to access protected resources of SRV2, it works perfectly fine. after I used same token to get SRV1 protected resources, it throws unauthorized error.
Appreciate quick help.
You need to make sure that the signing tokens and the Data Protection keys are the same between the two servers. If you don't define them, they will be automatically created on each server (not the same) and that results in tokens/cookies from one server is not accepted by the other one.
Do see this article as well.

Redirect Loop During Login with Implicit Flow in OpenId Connect Middleware

On server I have Identity Server 3 Identity Server. On client side, I have UseOpenIdConnectAuthentication. This is working great. But suddenly after some times when user successfully logged in at my identity server, the redirection starts looping until I get error maximum request size for everyone using the client application. Then I re-start the pool of client application, everything become working again. Is there some caching stuff in OpenIdConnectAuthentication middleware that has this result? This affects just the client app.

User Authentication over multiple Webservers in azure

I have an ASP.NET Application which runs an multiple Web Servers in Azure (these are all virtual machines and not Azure Websites).
If a user logs himself in (currently forms authentication) everything is fine but if he clicks on a link he might get redirected to another server in the server group where the session cookie is not set.
How could that be solved in azure so that a user is logged in on all machines or is there a way to "bind" a user to a specific server so that he won't jump between the servers?
Thanks for your help!
metabolic
You have to change the session state to be saved in an external persistence solution, like SQL Server or Redis, instead of InProc (which means in memory) which is the setting you have now. The steps to do that are described here for SQL Server. Then if someone ends up in a different server, he'll still be authenticated as the session will be loaded from the persistence solution.

Windows Authentication issue on Test server

We have a web application developed for use on the intranet of our client. There is no login page, hence there is no Forms authentication.
The application creates a number of records which have to be stored in the DB along with the name of the currrently logged in user. For this we have enabled windows authentication which works just fine in our development environment - and I assume, that when this is deployed on the envinronment of the client, it will work too.
The problem is, that when we host this on a test server, we need to give public IP access to the clients to check it out - and hence the virtual directory is configured to allow "anonymous access". This obviously causes a problem for us while storing the records since we are not able to capture the login name for the person who is creating/testing this application.
If we enable windows authentication for the test machine, then anyone who tries to access the app through the public IP gets a login window popup which we dont want.
Any ideas on how to capture the logged in user name for this scenario ?
Based on your design, user should log on a windows machine in your network the server is located. For that scenario, VPN would serve best and simulate real environment.

Resources