Develop Reference

Asp.net share forms authentication by two applications in the same domain

I have two applications in the same domain: mydomain/app1 and mydomain/app2, and I need to share authentication between them. One app is in Asp.Net WebForms, and the second is using WebApi2.
I configured web.config like below:
App1:
<authentication mode="Forms">
<forms loginUrl="/Login.aspx" defaultUrl="/Default.aspx" name=".ASPXFORMSAUTH" protection="All" cookieless="UseDeviceProfile" slidingExpiration="true" path="/" domain="mydomain" requireSSL="false" timeout="60" enableCrossAppRedirects="false">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
<machineKey validationKey="generated key1" decryptionKey="generated key2" validation="SHA1"/>
App2:
<authentication mode="Forms">
<forms loginUrl="/index.html" defaultUrl="/index.html" name=".ASPXFORMSAUTH" protection="All" cookieless="UseDeviceProfile" slidingExpiration="true" path="/" domain="mydomain" requireSSL="false" timeout="60" enableCrossAppRedirects="false">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
<machineKey validationKey="generated key1" decryptionKey="generated key2" validation="SHA1"/>
I am signing into app1 and observe the cookie content.
Then I am requesting an URL from app2 in another browser tab. The cookie (name and content) in the second tab is the same as in the first one.
I expect that the request from the second tab to be authenticated by the app2 since the cookie is already authenticated by the app1.
Yet, this is not happening, and I am redirected to the login page of app2.

As suggested by the OP, here is the answer that works in that case.
They've changed the cookie encryption between 4 and 4.5. You can either make both running under the same .net or turn on the compatibility on the 4.5 site by adding an attribute to your machine key config node.
https://social.microsoft.com/Forums/en-US/1791c5e3-4087-4e92-a460-51c5c4221f49/any-forms-auth-changes-in-45?forum=Offtopic

Form Authentication inside VS 2013

I am using following configuration in my web.config file
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="Defautl.aspx" protection="All" path="/" timeout="30" />
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
But when I am running the code I get an error
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
As I running it from local host so I am not sure why this error is happening.
If I disable Windows Authentication from project property the above error shows up. If I enable this then I can view any page inside my application without login.
I have commented the code ConfigureAuth inside Startup class.
Edit 1: I have gone through this link

Try This..
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms" lockItem="true">
<forms loginUrl="Login.aspx" name="frmL" slidingExpiration="true" protection="All" defaultUrl="Default.aspx" path="/"/>
</authentication>
</system.web>
<location path="YourDirectoryForAuthorizedUsers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

ActiveDirectoryMembershipProvider always redirects to signin page

I'm trying to implement the ActiveDirectoryMembership provider so I can use forms authentication against active directory.
I can browse to the application, and be redirected to the signin page. If I enter the incorrect password I get the correct error. If I enter the correct password it redirects me to the default url (/Secure/Default.aspx), but immediately get redirected back to the signin page. I can see the two redirects because I'm using fiddler. So I know for sure that it is authenticating against AD correctly, but still taking me back to the signin page. I also know that the browser does accept cookies, because I built a test page in the application to prove that. I've included the web.config and relevant code below, just can't figure out what I am missing...
Edit:
I have found that if I specify UseUri instead of UseCookies, everything starts working. But I have validated that I can store data in a cookie on one page, and retrieve it on another page, so why wouldn't it work for the authentication piece?
Edit 2
I've also removed my code from the signin page and used the standard login control, same problem.
Web.config file:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/FormsAuth"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<!-- Deny unauthenticated users will cause automatic redirect to the sign in page when using forms authentication. -->
<deny users="?"/>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
Signin page:
bool bIsValid = System.Web.Security.Membership.ValidateUser(txtUsername.Text, txtPassword.Text);
//Authenticate the user credentials against the default membership provider specified in configuration
if (bIsValid)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(txtUsername.Text, true);
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
}
else
{
//display error
....
}

The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization> section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If the /Secure folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" /> in your main <authorization> section.

ActiveDirectoryMembershipProvider - "Unable to establish secure connection"

I am trying to configure an ActiveDirectoryMembershipProvider but I keep getting the message "Unable to establish secure connection with the server".
I have seen online at the MSDN website that I should configure the trust level to unrestricted on my site and I still get that.
Here is my example:
<connectionStrings>
<add name="LocalAD" connectionString="LDAP://example.com/dc=example,dc=com" />
</connectionStrings>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="adtest"
connectionUsername="cn=Users"
connectionPassword="password"
connectionStringName="LocalAD" >
</add>
</providers>
</membership>
<trust level="Full" />
<authentication mode="Forms">
<forms loginUrl="login.aspx"
protection="All"
timeout="30"
name="miBenefitsAdminToolCookie"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="Default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

You're supplying what looks like a container instead of an actual user name to be used in making the connection to AD. Provide the canonical name of a user with sufficient credentials to access AD. Note that if the server is in the same domain, the Network System user that the worker process runs under may already have enough privileges and you won't need to provide a name/password at all.
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="adtest"
connectionUsername="cn=actualUser"
connectionPassword="actualUsersPassword"
connectionStringName="LocalAD">
</add>

The connection username can have different formats depending on how it was configured. If the user is added to the user role only as a DN (distinguished name) then the format of CN=username,DC=container can be used
If the user is added to the user role as a windows user, then the username can be username only.
I hope this clarification helps.

Asp.net forms authentication

In my web.config I have this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
</authentication>
<sessionState timeout="20" />
</system.web>
<location path="admin">
<system.web>
<authorization>
<deny users="*"/>
<allow users="admin"/>
</authorization>
</system.web>
</location>
I have two problems:
In my admin path I want only the admin user to have access but I can't find a way to do this. How can I make only the admin user have access?
The user always gets logged out even if I try to use cookies so he shouldn't be logged out. In my login.aspx I have the folloing code when the user is valid:
FormsAuthentication.RedirectFromLoginPage(user, CheckBoxPersistCookie.Checked);
How can I make the user to stay logged in?

try putting the <allow> line over the <deny> line.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
</authentication>
<sessionState timeout="20" />
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

As I understand you have 30 mins timeout in your authentication cookie and 20 minutes in your session cookie. It seems that as session will expire in 20 minutes then it will be impossible to use authentication cookie too.
It is a little tricky if you want to leave user logged in. I know that it is possible to implement it using javascript and invisible iframe. You need to reload iframe every 5 minutes for example. Your session will be live and local cookies updated.