I am trying to set up Single sign on for 2 websites that reside on the same domain
e.g.
http://mydomain (top level site that contains a forms-auth login page)
http://mydomain/admin (seperately developed website residing in a Virtual Application within the parent website)
Have read a few articles on Single Sign on
e.g.
http://www.codeproject.com/KB/aspnet/SingleSignon.aspx
http://msdn.microsoft.com/en-us/library/dd577079.aspx
And they seem to suggest it is just a case of having the same machinekey section in each web.config so that the cookie encryption and decryption is the same for each application
I have set this up and I never get prompted for credentials in the sub-website (the virtual application)
I always get prompted in the parent site.
In addition to having the same machinekey I've also tried adding the same <authentication> and <authorisation> elements
Any idea what I could be missing?
Your forms section of web.config needs to be the same as well.
Quote from - Forms Authentication Across Applications
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
The following example shows the
Authentication section of a Web.config
file. Unless otherwise noted, the
name, protection, path, validationKey,
validation, decryptionKey, and
decryption attributes must be
identical across all applications.
Similarly, the encryption and
validation key values and the
encryption scheme and validation
scheme used for authentication tickets
(cookie data) must be the same. If the
settings do not match, authentication
tickets cannot be shared.
I had used <clear/> on the httpModules section, as there were items in the parent that did not exist in the bin dir for the child (/admin)
In doing so (using <clear/> that is ) I had inadvertently cleared the FormsAuthentication module specified in the web.config in
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG
so i needed to re-add those explicitly to the child (/admin) config
Try configuring the httpCookies section in the web.config of both applications to use the same domain. That way when you log-in to one app the FormsAuthentication cookie you get will be visible to the other application.
You need to have the same authentication elements in the web.config. In the contained forms element, make sure you give each application the same value for the name attribute. For the loginUrl attribute, I use a relative path and use the same logon page for all of the applications (e.g. loginUrl="/MainApp/login.aspx").
Also, are you creating the authentication ticket manually?
There is a breaking change in ASP.NET 4.5's token generation
If you're mixing ASP.NET 4.5 apps with apps targeting earlier versions, you will need to ensure compatible tokens are used everywhere. Add this attribute to the <machineKey> on any site targeting .NET 4.5 or higher:
<system.web>
<machineKey compatibilityMode="Framework20SP2" />
</system.web>
See this answer for more details. Special thanks to this comment which pointed me in the right direction.
Related
Current installation
I have two web applications app_A and app_B (same app with app_A but for test purposes) under IIS default website. A domain www.mydomain.com that points to the server needs to access app_A. That can be done by changing the physical path from \inetpub\wwwroot\ to \inetpub\wwwroot\app_A.
The second application should be access under www.mydomain.com/app_B/
Problem
When accessing www.mydomain.com/app_B/ because it's now a sub-directory of app_A it sees the web.config from app_A and I got error like "duplicate entries in web.config" when accessing the www.mydomain.com/app_B/ application. I can eliminate the errors by using the tag to remove first and declare again the entries in app_B web.config.
Questions
Is there any other way to make the installation in order app_A would be access from www.mydomain.com/ and app_B from www.mydomain.com/app_B without messing the web.config files as described above?
For the current installation, is there a way to set something on IIS in order for app_B not to see at all web.config from app_A because is a subdirectory?
For the current installation, do you see any real problems (possibly on security) by using the remove tag for the app_B application?
For the current installation I observer a strange behaviour. If I login to app_A and app_B and logout from app_A it also logout from app_B (not always). I am using Active Directory for authentication. Do I need to change something in app_B's web.config in order to say that it's totally different application?
I know this is an old question and you might have found out the solution. I am replying in case you need an answer.
There are two ways to avoid merging of parent’s config file and child’s config file. Either you can add
inheritInChildApplications="false" Tag in the parent’s config file. For example:
<location path="." inheritInChildApplications="false">
<connectionStrings>
</connectionStrings>
</location>
Or
you can add "Remove" tag or "Clear" in child’s config file to clear the parent’s settings.
Also, I don’t see any security threats by clearing parents settings.
By any chance are you using same cookie name in authentication for parent and child applications? If this is the case, once you login to child application, the cookie generated by the parent application will be overridden. Try specifying name of the cookie for at least one of the application.
Here's the situation:
Website A, ASP.NET MVC 4 web application. Domain: http://a.example.com
Website B, ASP.NET MVC 4 web applicaiton. Domain: http://b.example.com
I'm trying to share a cookie (forms authentication) between the websites.
I'm not using Forms Authentication per-se. I'm using the built-in methods (Encrypt, Decrypt, etc), but I'm setting my own custom cookie.
When I set the cookie on one of the websites, the other ones sees the cookie, but can't decrypt it. The error is the generic "Error occurred during a cryptographic operation".
What I've ensured:
The cookie has the domain set to "example.com" (which means subdomains can access. Proof is the other website can "see" the cookie).
Both websites share the same machine key. The web.config for both has the same value for the decryptionKey and validationKey.
The forms authentication ticket version and cookie name are the same across both websites.
The path is set to "/".
I've done this before and it works fine, but in that scenario both applications were sharing the same code base.
In this instance, they are separate applications. This is because i am prototyping a solution where two platform-independent applications on the same top level domain can share a authentication cookie.
Can anyone tell me what i's missing, or provide an alternative solution.
I've read all the related questions, but the answer is usually 2) above.
When you create a new ASP.NET 4.5 (e.g ASP.NET MVC 4) application, the following line is added to the web.config:
<httpRuntime targetFramework="4.5" />
This was not present in my other application, possibly because my other application was an ASP.NET 3.5 application which was upgraded to 4.5.
Removing that line in the new ASP.NET web application fixed the problem.
I think this is due to the compatability mode value:
http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Framework45. Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".
Not sure i get how removing that line solved the problem. I assume application one has a different compatability mode, since it didn't have that httpRuntime element.
The Best way to handle this is to make machinekey decryption fall back to Framework20SP2
From this article : http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx
Just add that attribute to machinekey in your .net 4.5 application
<machineKey validationKey="" decryptionKey="" validation="SHA1" compatibilityMode="Framework20SP2" />
you won't need to remove targetFramework="4.5" from httpruntime now.
I am trying to run two web application using the same ASP.NET membership provider database that comes with MVC3. So two web app runs side by side and they both has the same connection to the same membership databse. The problem now is, I can only login at one app and get automatically log out at the other. However, the feature I want is, if I log into either one, I get automatically log into the other.
I was wondering what the trick is to enable this feature.
thanks a lot
If you are using Forms Authentication users are tracked with cookies. Cookies are by default restricted only to the application that emitted them. And because of this the other application cannot see the authentication cookie created by the first. So for example if you have the two applications hosted respectively on foo.example.com and bar.example.com you could set the domain property of the cookie in web.config of both applications to example.com:
<forms
loginUrl="/login/index.mcp"
requireSSL="true"
protection="All"
timeout="120"
domain="example.com"
/>
This way the cookie will be shared among those two applications and you will be able to achieve Single Sign On.
Finanlly I fixed it.
My application runs under the same domain so domain is not a problem (But Thank you very much, Darin).
The problem is:
IIS by default generate differnt machine key for differnt web application. So I have to specify the same machine key in web.config explicitly~!
I've got an ASP .NET website which uses Forms authentication to secure certain parts of the site. We have a test version of the site on a server and are making it available to partners over the web, e.g. at test.mydomain.com.
I need to secure all parts of the site so that only our partners can use it. Ideally it would be nice to have basic authentication pop up when they first hit the site, then have it work as normal thereafter, i.e. forms auth for certain areas.
However it seems ASP .NET and IIS don't support this. I'm aware of MADAM but that achieves something slightly different to what I need.
I'm considering restricting access by IP but that has two drawbacks, one it requires parters to "sign up" with their IP, and two, their IP could change.
Does anyone else have any suggestions?
One solution is to check for the existence of a 'basic authentication' cookie on each request. If it doesn't exist or doesn't have valid data, don't allow access to the site. This could be checked in a base page that all pages inherit from or masterpage etc.
In order to set the cookie, you could create page that you send your partners to. It might just be at a obscure url, or require that they enter a password. Basically what ever security mechanism suits you, but once they 'pass the test', you set the cookie that gives them access to the site.
Then they would have access and be able to login using your existing forms authentication.
Does that make sense.
Assuming your site implements roles, you can block access using traditional forms authentication and the location attributes. Something like:
<configuration>
<location path="Testing">
<system.web>
<authorization>
<allow roles="partners" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
You would then need to make sure all of the users that need access to that part of the site were in the partners role.
Ummm....
Well, the above solutions will work, but overall there is a better way. But does require some planning ahead.
your development and staging servers shouldn't be open to the general public, search bots, ect.. ect..
your dev and stg boxes can be locked down buy firewall or even ip access controls via IIS
No code solution
In the end we decided that securing the entire site via Forms authentication, and issuing test accounts to our partners, was the best solution.
Thanks to all for your suggestions.
I'm currently using the asp.net membership provider (with logins stored in db) to protect certain pages of my site. However, I also have non .aspx resources I wish to protect - word docs, excel spreadsheets, pdfs, etc. Is this even possible? If so how would I go about doing this?
thanks!
If you are running IIS 7 under the integrated pipeline (the default setup), all requests go through IIS. This means you have to do nothing other than setup your web.config. You'll need to do one little thing though, put the following attribute on the modules node under system.webServer:
<modules runAllManagedModulesForAllRequests="true" />
This ensures that the forms authentication modules run for your static content.