I am trying to run two web application using the same ASP.NET membership provider database that comes with MVC3. So two web app runs side by side and they both has the same connection to the same membership databse. The problem now is, I can only login at one app and get automatically log out at the other. However, the feature I want is, if I log into either one, I get automatically log into the other.
I was wondering what the trick is to enable this feature.
thanks a lot
If you are using Forms Authentication users are tracked with cookies. Cookies are by default restricted only to the application that emitted them. And because of this the other application cannot see the authentication cookie created by the first. So for example if you have the two applications hosted respectively on foo.example.com and bar.example.com you could set the domain property of the cookie in web.config of both applications to example.com:
<forms
loginUrl="/login/index.mcp"
requireSSL="true"
protection="All"
timeout="120"
domain="example.com"
/>
This way the cookie will be shared among those two applications and you will be able to achieve Single Sign On.
Finanlly I fixed it.
My application runs under the same domain so domain is not a problem (But Thank you very much, Darin).
The problem is:
IIS by default generate differnt machine key for differnt web application. So I have to specify the same machine key in web.config explicitly~!
Related
Here's the situation:
Website A, ASP.NET MVC 4 web application. Domain: http://a.example.com
Website B, ASP.NET MVC 4 web applicaiton. Domain: http://b.example.com
I'm trying to share a cookie (forms authentication) between the websites.
I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.
When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".
What I've ensured:
The cookie has the domain set to "example.com" (which means subdomains can access. Proof is the other website can "see" the cookie).
Both websites share the same machine key. The web.config for both has the same value for the decryptionKey and validationKey.
The forms authentication ticket version and cookie name are the same across both websites.
The path is set to "/".
I've done this before and it works fine, but in that scenario both applications were sharing the same code base.
In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.
Can anyone tell me what i's missing, or provide an alternative solution.
I've read all the related questions, but the answer is usually 2) above.
When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:
<httpRuntime targetFramework="4.5" />
This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.
Removing that line in the new ASP.NET web application fixed the problem.
I think this is due to the compatability mode value:
http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".
Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.
The Best way to handle this is to make machinekey decryption fall back to Framework20SP2
From this article : http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Just add that attribute to machinekey in your .net 4.5 application
<machineKey validationKey="" decryptionKey="" validation="SHA1" compatibilityMode="Framework20SP2" />
you won't need to remove targetFramework="4.5" from httpruntime now.
I am working on several asp.net sites simultaniously. All of them use cookie-based (out of the box) authentication mechnism. When a web site on localhost:4587 was being bedduged in VS I have logged in as an "admin" user and did some testing.
The next day I am opening different project for debugging that runs on localhost. And when I attempt to access the MVC controller action that is marked with Authorization atribute, the system assumes the current user is "admin" and is looking for it's roles based on a custom provider. But on this site, there isn't even a user named "admin". How can I make sure cookies from other sites don't make it to Role check in ASP.NET MVC application?
I would suggest it is always a good practice to delete all localhost cookies after testing. As explained here : asp.net cookies, authentication and session timeouts , you can also add details to the authentication cookie to ensure it is discarded after a session, ie when you close the browser or to differentiate between two sites. Another approach to avoid cookies 'clashing' is to use two different browsers : Chrome for the one and a Comodo Dragon or Chromium for the other.
Give your forms tag a unique name in each application
<authentication mode="Forms">
<forms name="myVeryUniqueNameForApp1" />
</authentication>
<authentication mode="Forms">
<forms name="myCompletelyUniqueNameForApp2" />
</authentication>
I've been trying to resolve this question for a couple weeks now via Google and reading SO, and not had much luck, so I thought I'd finally try asking myself.
I'm setting up a very, very simple ASP.NET site on our intranet to generate some information for internal users. I'm using Windows authentication, rather than anonymous access, because based on what user hits the site I will be generating different information.
Long story short, this works perfectly in testing on my local Windows 7 machine where I developed the application. However, from the Windows 2008 R2 server where I want it to reside, when I hit the site I get a pop-up asking for my credentials, and even if I enter them it asks me for them again and again. This happens regardless if I'm hitting the site remotely or locally. If I try using anonymous access I can reach the site both ways but as I cannot identify the user I cannot generate the information I would like to provide.
Notes:
In IIS, I have Windows Authentication and ASP.NET Impersonation
enabled for the site. Everything else is disabled.
For the sake of figuring it out, I currently have the web.config set to allow all users and am not denying any.
The host/URL I'm using for it is toolName.organization.local
I was concerned that it was an issue of the 2008 R2 server admin user residing in a different domain then my remote user that I was testing with but again it does not work locally either.
In the AppHost file, I currently have windowsAuthentication enabled.
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Admittedly, I typically use forms authentication on this server for all of our other internal sites so I'm a bit new to windows authentication and this issue. At this point I'm just not sure what to try or check next, so any advice would be helpful. Thanks.
I know this is a slightly old topic, but I had this exact same problem. Turns out I had the AppPool using Identity: ApplicationPoolIdentity instead of NetworkService. Once I switched that (under Advanced Settings in IIS7.5) I no longer got the server prompting for additional credentials and the pass-through worked perfectly.
Hope that helps!
First, you should realize that Windows passthrough authentication only works with Internet Explorer, and then only if the site is in the trusted sites, or intranet sites security group. Firefox, Chrome, etc.. will always prompt for credentials.
Having said that, you have a couple of issues.
You should have an <authentication mode="Windows" /> element in your web.config
You should decide if you want the app to run in the context of the user, in which case you would also need an <identity impersonate="true"/> tag. If not it should be false (although this is the default).
You do not need to have any authorization rules in your web.config if the site itself is completely guarded by windows authentication.
Just in case it's helpful, the problem for me was that I had left my application pool in Classic mode, in order to try to use NTFS permissions. I never got that to work, but once I switched it back to Integrated mode, I could use <allow> and <deny> tags to configure specific users' access.
I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.
I am trying to set up Single sign on for 2 websites that reside on the same domain
e.g.
http://mydomain (top level site that contains a forms-auth login page)
http://mydomain/admin (seperately developed website residing in a Virtual Application within the parent website)
Have read a few articles on Single Sign on
e.g.
http://www.codeproject.com/KB/aspnet/SingleSignon.aspx
http://msdn.microsoft.com/en-us/library/dd577079.aspx
And they seem to suggest it is just a case of having the same machinekey section in each web.config so that the cookie encryption and decryption is the same for each application
I have set this up and I never get prompted for credentials in the sub-website (the virtual application)
I always get prompted in the parent site.
In addition to having the same machinekey I've also tried adding the same <authentication> and <authorisation> elements
Any idea what I could be missing?
Your forms section of web.config needs to be the same as well.
Quote from - Forms Authentication Across Applications
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
The following example shows the
Authentication section of a Web.config
file. Unless otherwise noted, the
name, protection, path, validationKey,
validation, decryptionKey, and
decryption attributes must be
identical across all applications.
Similarly, the encryption and
validation key values and the
encryption scheme and validation
scheme used for authentication tickets
(cookie data) must be the same. If the
settings do not match, authentication
tickets cannot be shared.
I had used <clear/> on the httpModules section, as there were items in the parent that did not exist in the bin dir for the child (/admin)
In doing so (using <clear/> that is ) I had inadvertently cleared the FormsAuthentication module specified in the web.config in
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG
so i needed to re-add those explicitly to the child (/admin) config
Try configuring the httpCookies section in the web.config of both applications to use the same domain. That way when you log-in to one app the FormsAuthentication cookie you get will be visible to the other application.
You need to have the same authentication elements in the web.config. In the contained forms element, make sure you give each application the same value for the name attribute. For the loginUrl attribute, I use a relative path and use the same logon page for all of the applications (e.g. loginUrl="/MainApp/login.aspx").
Also, are you creating the authentication ticket manually?
There is a breaking change in ASP.NET 4.5's token generation
If you're mixing ASP.NET 4.5 apps with apps targeting earlier versions, you will need to ensure compatible tokens are used everywhere. Add this attribute to the <machineKey> on any site targeting .NET 4.5 or higher:
<system.web>
<machineKey compatibilityMode="Framework20SP2" />
</system.web>
See this answer for more details. Special thanks to this comment which pointed me in the right direction.