How to maintain Forms authentication session state between Azure Web Roles? - asp.net

I have deployed a RIA Services enabled Silverlight Business application on Azure that uses Forms authentication.
To enable Forms authentication on Azure, I have implemented the Table Storage providers from the Azure Toolkit. It almost works, but I have problems with keeping the session state. After I have logged in, and repeatedly presses F5 to refresh the page I switch between being logged in and logged out.
I have two Web Role Instances, and if I disable one of the it works like a charm. But as soon as I enable the second instance it's back to this sporadic behaviour. So clearly the state is not preserved because of the load balancing. Fine, I forgot to implement the Session provider, so I did:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
<providers>
<clear />
<add name="TableStorageSessionStateProvider"
type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageSessionStateProvider"
applicationName="AppAdmin"
/>
</providers>
</sessionState>
Sadly, that didn't help.
Update: The actual table (Session) is created in the Table Storage, but no data is in there.
Any ideas and/or suggestions?

Have you set your machine key in web.config?

Related

Maintaining Session across different domains with Azure Redis Cache Session State Provider

How can i share the same session state across different web apps using Azure Redis Cache Session State Provider?
My Web.configs for both applications are like that:
<sessionState mode="Custom" customProvider="MySessionStateStore">
<providers>
<add name="MySessionStateStore"
type="Microsoft.Web.Redis.RedisSessionStateProvider"
port="6380"
host="[myhostname].redis.cache.windows.net"
accessKey="[mykey]"
throwOnError="true"
applicationName="[mySharedAppName]"
ssl="true" />
</providers>
There are typically two things you need to do:
Set the applicationName attribute to the same string value in the web.config of both apps.
If the apps are in different IIS sites or different servers, you may need to change the cookie scope for the ASP.NET_SessionId cookie that ASP.NET sends to the browser for you behind the scenes. You'll get into trouble if the scope of that session cookie doesn't encompass both apps: the web browsers will use different session cookies and your sessions won't be shared. But if you just have two app directories under the same site then you shouldn't need to think about this.

Automatic or manual Active Directory authentication in asp.net mvc

I'm working on an asp.net mvc web app that is supposed to:
Automatically login someone if they are a valid user in Active Directory.
If the client is outside of the network (they're at home or whatever), allow them to manually login with their AD credentials through a login form.
I'm very new to AD authentication, I'm confused as to if I should be using Forms Authentication or Windows Authentication.
I have this in my web.config:
<add name="ADConnect" connectionString="LDAP://[something]/CN=dhr,DC=[something],DC=net" />
If I set: <authentication mode="Windows">
I can check User.Identity.IsAuthenticated in the controller to determine if they're logged in. If they're not, am I supposed to use this?:
Membership.ValidateUser("someguy", "somepass");
I get an error about making a secure connection to the server if I run the above. I have this as my provider:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnect" attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>
Typically, network administrators prevent web applications that use windows authentication to expose to the internet due to security reasons. This is definitely possible, but you need to make sure that second scenario is valid and possible in your organization. A common scenario to connect from the internet is to use VPN which will log in you to the network (means you will be authenticated against AD).
To perform only authentication for the first scenario you do no need the AspNetActiveDirectoryMembershipProvider. An authentication (validation of user identity) usually only required to be set
in web.config: authentication mode="Windows" and authorization
on IIS: set integrated windows authentication to ON
on IIS: if you have second scenario (or if you have different domains, etc) keep anonymous access as ON - it should prompt with standard login propmt;otherwise set it OFF

Shared authentication between two servers

I've set up the same site on two servers sitting behind a load balancer. I have the following in my web.config file
<sessionState mode="SQLServer" cookieless="false" allowCustomSqlDatabase="true"
sqlConnectionString="Data Source=server;Initial Catalog=ASPState;Persist Security
Info=True;User ID=user;Password=password" timeout="2880" sqlCommandTimeout="10" />
It appears to be working, I can see the ASPState tables populating when I log in, however I see that if I refresh several times after logging in it goes back and forth between being logged in and not logged in depending on which server I hit. Am I missing something?
I'm using the default webmatrix authentication built into MVC 4.
This ca be because you have different MachineKeys on your servers or the have the default value. And because of this you authentication cookies are encrypted in two different ways.
Try setting the machineKey in your web.config. Here is tool that helps generating the machineKey http://aspnetresources.com/tools/machineKey
As this post explains you will need to have the same Application ID on both servers.
"When you create applications that you expect to share session state using Sql Server, they need the same ID configured in IIS. This is because the session ID that is generated is generated based on the application ID. (Internally the application ID is something like LM/W3SVC/1
The two servers had different IDs for each application in IIS. The resolution is to change the ID under `Manage Website -> Advanced Settings' on each server."
Cheers

Session timeout in web application on window Azure platform

I need your help to sort out one problem with session timeout in my application which are hosted on Azure platform.
I have developed web application in asp.net and make login functionality with session and put following code maintain timeout period for session like
<sessionState mode="InProc" timeout="20"></sessionState>
It working fine on local system but when i will tested it with live URL on Azure platform it will signout frequently (session expired).
Can any one please suggest me how can i resolve this issues?
Thanks
Arun.
Are you running more than one WebRole instance? Remember, "InProc" session-state will not be shared across multiple web-role instances. In fact, InProc session state is "evil" in the cloud world, will not work for any deployments with more than 1 instance running. You really want to use another provider, like Session provider for AppFabric Cache
Are you sure the session is expiring? If you are using ASP.NET forms authentication there is another timeout to consider (here I have set it to 180 mins)
<authentication mode="Forms">
<forms loginUrl="Login/" timeout="180"/>
</authentication>
If you do have multiple instances Igorek is right - the session will not be shared.
Please see how-does-microsoft-azure-handle-session-state/1023125#1023125
or refer to the Azure SDK for more information.

proper IIS 6 configuration for forms authentication

I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.

Resources