Sharing forms authentication between a Web Site and a Web Application - asp.net

Previously, I have implemented two separate ASP.NET Web Applications, one as a virtual application in a subfolder of the other, which successfully shared forms authentication as described at http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
(basically, setting up identical <forms> sections in the Web.config, and keys in the <machineKey> section)
Now, I am trying to do something similar to get BlogEngine.NET (which is a Web Site, not a Web Application) to work sharing forms authentication with a Web Application of mine. I have tried both putting it as a virtual application in a subfolder, and setting it up as a separate IIS site (same domain name, different port number), but I can't get the authentication to work at all: when I go to the blog while logged in to my Web Application, Page.User.Identity.IsAuthenticated is always still "false".
I'm really not sure how to even start debugging this, since the forms authentication is handled before any of my code runs.
<authentication> section of the two Web.configs are the same:
<authentication mode="Forms">
<forms path="/" domain="localhost" timeout="129600" name=".WebSiteName"
protection="All" slidingExpiration="true" loginUrl="/admin/login.aspx"
cookieless="UseCookies"/>
</authentication>
And <machineKey> also:
<machineKey validationKey="DD45C42ACEAF1E208E9B78288177EBF9C8C7C54C6D05BA2FBA90B5348B8F6987216CB098056891CFE81DC33E37C5F9A2BF1845DBF902C6E4BBFEC2341FFA3635"
decryptionKey="0C69852D8BE0948D545C35B932D394102802FAF7FA46E99B4E5B5E12546E4620"
validation="SHA1" decryption="AES" />
Does anyone have any suggestions as to what I should check or try?

This was a good resource for this issue: http://blogs.msdn.com/b/cliffgreen/archive/2011/03/29/reporting-services-single-sign-on-sso-authentication-part-1.aspx
Note there are links within this article that are useful to read.

Related

How To Pass UserIdentity/UserName From WebForm application to MVC5 Application?

I have a asp.net webform application (ProA). It was built some time ago by someone else, although I can access source code. Now, I finished another application which is a MVC5 (ProB).
ProA uses asp.net membership for authenticate users. ProB is not using any membership. Now, we want to add user authenticate to ProB, and also some parts of ProB is using username as parameter for some data.
Now, we want to force user login from ProA, then maybe click a link/button, redirect the user to ProB. In ProB, we create an authorize filter to verify the user has the right, then show the pages.
I have tried to use forms authentiction across applications, described in: Forms Authentication Across Applications . But it does not work. The changes I made in web.config is:
<authentication mode="Forms">
<forms name="X.ASPXAUTH" loginUrl="~/Login.aspx" path="/"
protection="All"
enableCrossAppRedirects="true"
/>
</authentication>
Could it be because that one is webform and the other is MVC? Also, ProB actually does not have any membership installed yet, does it affect this form authentiction?
Any other suggestions?
Thanks.
--- Added more info:
1) I'm testing on my local machine. I run both sites in VS2012. What should I use for domain? "localhost"? ".localhost"? or, not use domain at all? seems not working.
2) I added a button on ProA, when clicked, use this redirect to ProB:
HttpContext.Current.Response.Redirect("http://localhost:12345/", false);
Is this the correct way? The HttpContext has the user identity.
3) Does ProB have to have membership? Now, ProB does NOT have membership feature, is it the reason?
You shouldn't have any issues with sharing the authentication across web forms and MVC apps. The underlying technology is the same, .Net uses an encrypted to cookie which has the forms auth ticket.
Read the following MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
The main things to note are the domain reference and the machineKey config.
The domain attribute of the forms auth config allows the browser to include that auth cookie with the requests sent to each site. Then the machineKey portion is the part that handles the encryption/decryption.
Both sites must have the config setup up identically for this to work, and also be running on the same domain i.e. xyz.contoso.com and abc.contoso.com
web.config
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="[your key here]"
decryptionKey="[your key here]"
validation="SHA1" />
</system.web>
</configuration>
EDIT
Use the following link to generate your machine keys: http://www.developerfusion.com/tools/generatemachinekey/

How SetAuthCookie works for two different site

I would like know how SetAuthCookie works for different application on same server?
Currently I have two similar applications with different virtual directories.
How can I make it so that if I login to one of them then it doesn't ask me for login on the other application, and the same for logout?
It is possible if both applications are hosted on the same top level domain. You should specify this domain in your web.config of both applications:
<forms
name="name"
loginUrl="URL"
defaultUrl="URL"
domain="example.com">
</forms>
This way the forms authentication cookie will be emitted with the domain property setup and the client will effectively send it between the 2 applications. Another pre-requisite is that both applications share the same machine keys so that an authentication cookie that was encrypted by the first application can be successfully decrypted by the second application. If both applications are hosted on the same server you could set those machine keys in machine.config, if not then you could set them in web.config of each application:
<system.web>
<machineKey decryption="AES" decryptionKey="C03B1AB0BC1ACCD18EA915CBD87373010AD0DEC430A69871,IsolateApps" validation="AES" validationKey="C0ED7C430148AD4BC6505085DA4FD0DD3EE2453B566FC4EA4C7B3C2DCAB2025A79C774370CA884DF909CE9A3D379E544B7890D0A1CEE164141D3A966999DC625,IsolateApps" />
</system.web>
I've also covered this in the following answer.
Even the post is old but there is an easy solution add "name" in the form tag in web.config, coz if you dont give a name to the cookie it will have a default one
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" name="client" />
</authentication>
for the other application put another name, it works perfectly with me. good luck

Auto logging in to another ASP.NET Application from main Web Application

I'm running the latest version of YetAnotherForum in a folder beneath my main WebApplication. The subfolder is configured as an application in IIS and navigating to the folder and logging in works wonderfully. YAF is setup with a membership provider and uses Forms Authentication.
What I'm trying to do now is to auto login a user into the forum from the main website. The main website uses custom authentication through sessions and cookies. It doesn't use any of the built in ASP.NET authentication or membership components.
So basically what I want to happen is that when a user click on a link to access the forums, they're sent to a processing page that authenticates them into the YAF Application before it sends them over to the subfolder.
Even though the main app doesn't use the built in authentications pieces, I've still set the authentication mode to forms and made sure the tag beneath that matches the one in the YAF web.config. Then, on the processing page I'm calling FormsAuthentication.SetAuthCookie(username, true), then redirecting. But YAF kicks me back to the login page anyway. Not sure where to go from here.
Main site is:
example.com/
web.config:
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
YAF is:
example.com/yaf (Seperate WebApplication in IIS)
web.config
<authentication mode="Forms">
<forms name=".YAFNET_Authentication" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
Processing page is: (in pseudo)
example.com/autoLogin.aspx.cs
public void AutLogin(){
string userName = doStuffToGetUsername();
YAFStuff.CreateUserIfNeeeded(userName);
FormsAuthentication.SetAuthCookie(userName, true);
Response.Redirect("/yaf/");
}
I'd been searching Google for 2 days trying to sort this out, but I finally stumbled onto the solution. I needed a MachineKey that matched on both web.config files for the encryption process.
http://forum.yetanotherforum.net/yaf_postst8780_Custom-membership-and-role-provider-with-YAF-Profile-provider.aspx
Sweet!

Authentication Token Not Working Properly in ASP.NET Web Application

I've converted a web site to a web application and am now experiencing a strange behavior with the application. Essentially, there are 2 webs. One web site is the main, front-facing site written in ASP.NET 1.1 but with the Membership piece added from 2.0. The other is a former web site now grown up to a web application.
It seems as though when I login to the web site (project 1), I get properly redirected to the web app (project 2) properly. However, any link I click on sends me back to login on the web site (project 1). The machine keys are the same and all of the forms authentication properties are the same.
I've stopped IIS several times and deleted the files in the temporary folder and still no go. Very frustrating.
Here is an example of my forms element for my web app:
<forms domain="beta.domain.com" name=".ASPXAUTH" loginUrl="http://beta.domain.com/" protection="All" timeout="600" path="/" requireSSL="true" slidingExpiration="true" defaultUrl="https://beta.domain.com/app/" enableCrossAppRedirects="true"/>
Here is an example of my forms element for the web site:
<forms name=".ASPXAUTH" enableCrossAppRedirects="true" timeout="600" defaultUrl="/QueryStringAuthenticate.aspx" loginUrl="/" protection="All" slidingExpiration="true" cookieless="UseDeviceProfile" domain="beta.domain.com" />
Then on both I have the same machine key value specified. The QueryStringAuthenticate.aspx page in the web site hasn't changed. It still does the same thing it always did (obtain the cookie name [.ASPXAUTH] and cookie value [authentication token]).
I finally got it. It actually had nothing to do with the authentication itself, but rather the browser settings. Apparently, someone had modified our image file for dev machines to add the site in the trusted sites for HTTPS, but did not add it without the HTTPS. So, IE was dropping the connection somewhere. Either adding both with and without the HTTPS or removing those entries resolved the issue.

ASP.NET Forms Authentication on Load Balanced Servers

Are there any possible issues with using the default Forms Authentication (see below) on Load Balanced servers? If there can be, what can I do to prevent the issues.
<authentication mode="Forms">
<forms loginUrl="~/Login/" protection="All" timeout="30" />
</authentication>
Can I use cookies (used by default)? Do I have to go cookieless? etc...
Also, does Microsoft (or VMWare) have a VirtualPC download that is an instant Load Balanced testing environment?
There is one issue. The cookies are encrypted and validated using the machine key and the validation key (that's what protection="All" means). You will have to set those in your top-level web.config in all the servers, otherwise each of them will have a different one and will reject cookies set by the others.
You can find a machineKey generator here. Then put the generated xml inside in the web.config of all the servers and you're ready to rock.

Resources