Forms authentication across apps - missing something basic?

Discussion in 'ASP .Net Security' started by Geoff Pennington, Oct 6, 2005.

  1. I have two applications running on the same server. The URL for one is
    http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently the
    login and authentication is handled by each application, but we want to use
    one login screen that will handle authentication for both apps. We have
    created a new application at http://mydomain/sharedApp/ for this purpose.

    There are a lot of samples on the internet showing how to set up the
    web.config and it looks like a simple thing to do. But when I try using the
    shared login (http://mydomain/sharedApp/login.aspx ) I get to the point in
    my code (login.aspx.vb) where it has the Redirect to the home page of the
    requested application, and then I get a system generated popup asking for an
    ID and password. Entering either my network credentials (should not be
    necessary, I am already logged onto the network) or my application defined
    credentials does not help. I end with a big ugly "Access denied" screen.

    Following the examples I have found, I placed the following in the
    web.config of each application:
    <authentication mode="Forms">
    <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    protection="All" timeout="180" path="/"/>
    </authentication>

    <machineKey
    validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCAA286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    validation='SHA1' />

    I got the validation and decryption keys from a utility at
    http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx

    Might that be the problem?

    I've been spinning my wheels on this for several days and it doesn't look
    like it should be this hard. Any ideas?

    Much obliged.
     
    Geoff Pennington, Oct 6, 2005
    #1
    1. Advertising

  2. The new application folder needs ACL rights. User ASPNET and the webuser
    need read rights.


    "Geoff Pennington" <_spam> schreef in bericht
    news:%...
    > I have two applications running on the same server. The URL for one is
    > http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently

    the
    > login and authentication is handled by each application, but we want to

    use
    > one login screen that will handle authentication for both apps. We have
    > created a new application at http://mydomain/sharedApp/ for this purpose.
    >
    > There are a lot of samples on the internet showing how to set up the
    > web.config and it looks like a simple thing to do. But when I try using

    the
    > shared login (http://mydomain/sharedApp/login.aspx ) I get to the point in
    > my code (login.aspx.vb) where it has the Redirect to the home page of the
    > requested application, and then I get a system generated popup asking for

    an
    > ID and password. Entering either my network credentials (should not be
    > necessary, I am already logged onto the network) or my application defined
    > credentials does not help. I end with a big ugly "Access denied" screen.
    >
    > Following the examples I have found, I placed the following in the
    > web.config of each application:
    > <authentication mode="Forms">
    > <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    > protection="All" timeout="180" path="/"/>
    > </authentication>
    >
    > <machineKey
    >

    validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    > decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    > validation='SHA1' />
    >
    > I got the validation and decryption keys from a utility at
    >

    http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >
    > Might that be the problem?
    >
    > I've been spinning my wheels on this for several days and it doesn't look
    > like it should be this hard. Any ideas?
    >
    > Much obliged.
    >
    >
     
    Martin de Jong, Oct 6, 2005
    #2
    1. Advertising

  3. Thanks, I'll take that up with my system administrator.

    "Martin de Jong" <> wrote in message
    news:%...
    >
    > The new application folder needs ACL rights. User ASPNET and the webuser
    > need read rights.
    >
    >
    > "Geoff Pennington" <_spam> schreef in
    > bericht
    > news:%...
    >> I have two applications running on the same server. The URL for one is
    >> http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently

    > the
    >> login and authentication is handled by each application, but we want to

    > use
    >> one login screen that will handle authentication for both apps. We have
    >> created a new application at http://mydomain/sharedApp/ for this purpose.
    >>
    >> There are a lot of samples on the internet showing how to set up the
    >> web.config and it looks like a simple thing to do. But when I try using

    > the
    >> shared login (http://mydomain/sharedApp/login.aspx ) I get to the point
    >> in
    >> my code (login.aspx.vb) where it has the Redirect to the home page of the
    >> requested application, and then I get a system generated popup asking for

    > an
    >> ID and password. Entering either my network credentials (should not be
    >> necessary, I am already logged onto the network) or my application
    >> defined
    >> credentials does not help. I end with a big ugly "Access denied" screen.
    >>
    >> Following the examples I have found, I placed the following in the
    >> web.config of each application:
    >> <authentication mode="Forms">
    >> <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    >> protection="All" timeout="180" path="/"/>
    >> </authentication>
    >>
    >> <machineKey
    >>

    > validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    > A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    >> decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    >> validation='SHA1' />
    >>
    >> I got the validation and decryption keys from a utility at
    >>

    > http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >>
    >> Might that be the problem?
    >>
    >> I've been spinning my wheels on this for several days and it doesn't look
    >> like it should be this hard. Any ideas?
    >>
    >> Much obliged.
    >>
    >>

    >
    >
     
    Geoff Pennington, Oct 6, 2005
    #3
  4. No change

    I added read rights for the ASPNet account and for the IUSR_WebDev (I
    believe WebDev is the server name) . It made no difference. Is IUSR_WebDev
    the "webuser" account you meant?

    Much obliged.

    "Martin de Jong" <> wrote in message
    news:%...
    >
    > The new application folder needs ACL rights. User ASPNET and the webuser
    > need read rights.
    >
    >
    > "Geoff Pennington" <_spam> schreef in
    > bericht
    > news:%...
    >> I have two applications running on the same server. The URL for one is
    >> http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently

    > the
    >> login and authentication is handled by each application, but we want to

    > use
    >> one login screen that will handle authentication for both apps. We have
    >> created a new application at http://mydomain/sharedApp/ for this purpose.
    >>
    >> There are a lot of samples on the internet showing how to set up the
    >> web.config and it looks like a simple thing to do. But when I try using

    > the
    >> shared login (http://mydomain/sharedApp/login.aspx ) I get to the point
    >> in
    >> my code (login.aspx.vb) where it has the Redirect to the home page of the
    >> requested application, and then I get a system generated popup asking for

    > an
    >> ID and password. Entering either my network credentials (should not be
    >> necessary, I am already logged onto the network) or my application
    >> defined
    >> credentials does not help. I end with a big ugly "Access denied" screen.
    >>
    >> Following the examples I have found, I placed the following in the
    >> web.config of each application:
    >> <authentication mode="Forms">
    >> <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    >> protection="All" timeout="180" path="/"/>
    >> </authentication>
    >>
    >> <machineKey
    >>

    > validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    > A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    >> decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    >> validation='SHA1' />
    >>
    >> I got the validation and decryption keys from a utility at
    >>

    > http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >>
    >> Might that be the problem?
    >>
    >> I've been spinning my wheels on this for several days and it doesn't look
    >> like it should be this hard. Any ideas?
    >>
    >> Much obliged.
    >>
    >>

    >
    >
     
    Geoff Pennington, Oct 6, 2005
    #4
  5. Re: No change

    So to clear my understanding, both app1 and app2 are virtual directories, as
    is the new 'sharedapp'
    which you want to use to control login for those 2 sites. If that is
    correct, and you are using forms auth for all these sites, you will need to
    provide the validation and decryption key for 'each' application as wel as
    ensure that the cookie name is the same for all the apps. This way, when an
    auth cookie is encypted and sent as a response to the auth request, it can
    be decrypted and accessed by the 'recipient' site, whether that be 'app1' or
    'app2'. Alternatively, you can put the validation and decryption key
    explicitly in the machine.config which means it will be consistent across
    all applications.

    By default, you will have something like decryptionKey="AutoGenerate,
    IsolateApp" which auto-generates the decryption key for each and every
    application on the box. Having it only in one application is not enough.

    Hopefully, I have your scenario correct.

    --
    - Paul Glavich
    MVP ASP.NET
    http://weblogs.asp.net/pglavich
    ASPInsiders member - http://www.aspinsiders.com


    "Geoff Pennington" <_spam> wrote in message
    news:...
    >I added read rights for the ASPNet account and for the IUSR_WebDev (I
    >believe WebDev is the server name) . It made no difference. Is IUSR_WebDev
    >the "webuser" account you meant?
    >
    > Much obliged.
    >
    > "Martin de Jong" <> wrote in message
    > news:%...
    >>
    >> The new application folder needs ACL rights. User ASPNET and the webuser
    >> need read rights.
    >>
    >>
    >> "Geoff Pennington" <_spam> schreef in
    >> bericht
    >> news:%...
    >>> I have two applications running on the same server. The URL for one is
    >>> http://mydomain/app1/ and the other is http://mydomain/app2/ . Currently

    >> the
    >>> login and authentication is handled by each application, but we want to

    >> use
    >>> one login screen that will handle authentication for both apps. We have
    >>> created a new application at http://mydomain/sharedApp/ for this
    >>> purpose.
    >>>
    >>> There are a lot of samples on the internet showing how to set up the
    >>> web.config and it looks like a simple thing to do. But when I try using

    >> the
    >>> shared login (http://mydomain/sharedApp/login.aspx ) I get to the point
    >>> in
    >>> my code (login.aspx.vb) where it has the Redirect to the home page of
    >>> the
    >>> requested application, and then I get a system generated popup asking
    >>> for

    >> an
    >>> ID and password. Entering either my network credentials (should not be
    >>> necessary, I am already logged onto the network) or my application
    >>> defined
    >>> credentials does not help. I end with a big ugly "Access denied" screen.
    >>>
    >>> Following the examples I have found, I placed the following in the
    >>> web.config of each application:
    >>> <authentication mode="Forms">
    >>> <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    >>> protection="All" timeout="180" path="/"/>
    >>> </authentication>
    >>>
    >>> <machineKey
    >>>

    >> validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    >> A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    >>> decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    >>> validation='SHA1' />
    >>>
    >>> I got the validation and decryption keys from a utility at
    >>>

    >> http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >>>
    >>> Might that be the problem?
    >>>
    >>> I've been spinning my wheels on this for several days and it doesn't
    >>> look
    >>> like it should be this hard. Any ideas?
    >>>
    >>> Much obliged.
    >>>
    >>>

    >>
    >>

    >
    >
     
    Paul Glavich [MVP ASP.NET], Oct 11, 2005
    #5
  6. Re: No change

    Paul -
    I believe you have the scenario correct. The validation and decryption keys
    are set to the same value in the web.config of each app (as per my original
    post). I used a "cut and paste" to make sure they were the same. I am at a
    loss to know why doing so does not work for me.

    I have not tried placing the keys in machine.config.

    Much obliged,
    Geoff.

    "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    news:%...
    > So to clear my understanding, both app1 and app2 are virtual directories,
    > as is the new 'sharedapp'
    > which you want to use to control login for those 2 sites. If that is
    > correct, and you are using forms auth for all these sites, you will need
    > to provide the validation and decryption key for 'each' application as wel
    > as ensure that the cookie name is the same for all the apps. This way,
    > when an auth cookie is encypted and sent as a response to the auth
    > request, it can be decrypted and accessed by the 'recipient' site, whether
    > that be 'app1' or 'app2'. Alternatively, you can put the validation and
    > decryption key explicitly in the machine.config which means it will be
    > consistent across all applications.
    >
    > By default, you will have something like decryptionKey="AutoGenerate,
    > IsolateApp" which auto-generates the decryption key for each and every
    > application on the box. Having it only in one application is not enough.
    >
    > Hopefully, I have your scenario correct.
    >
    > --
    > - Paul Glavich
    > MVP ASP.NET
    > http://weblogs.asp.net/pglavich
    > ASPInsiders member - http://www.aspinsiders.com
    >
    >
    > "Geoff Pennington" <_spam> wrote in message
    > news:...
    >>I added read rights for the ASPNet account and for the IUSR_WebDev (I
    >>believe WebDev is the server name) . It made no difference. Is IUSR_WebDev
    >>the "webuser" account you meant?
    >>
    >> Much obliged.
    >>
    >> "Martin de Jong" <> wrote in message
    >> news:%...
    >>>
    >>> The new application folder needs ACL rights. User ASPNET and the webuser
    >>> need read rights.
    >>>
    >>>
    >>> "Geoff Pennington" <_spam> schreef in
    >>> bericht
    >>> news:%...
    >>>> I have two applications running on the same server. The URL for one is
    >>>> http://mydomain/app1/ and the other is http://mydomain/app2/ .
    >>>> Currently
    >>> the
    >>>> login and authentication is handled by each application, but we want to
    >>> use
    >>>> one login screen that will handle authentication for both apps. We have
    >>>> created a new application at http://mydomain/sharedApp/ for this
    >>>> purpose.
    >>>>
    >>>> There are a lot of samples on the internet showing how to set up the
    >>>> web.config and it looks like a simple thing to do. But when I try using
    >>> the
    >>>> shared login (http://mydomain/sharedApp/login.aspx ) I get to the point
    >>>> in
    >>>> my code (login.aspx.vb) where it has the Redirect to the home page of
    >>>> the
    >>>> requested application, and then I get a system generated popup asking
    >>>> for
    >>> an
    >>>> ID and password. Entering either my network credentials (should not be
    >>>> necessary, I am already logged onto the network) or my application
    >>>> defined
    >>>> credentials does not help. I end with a big ugly "Access denied"
    >>>> screen.
    >>>>
    >>>> Following the examples I have found, I placed the following in the
    >>>> web.config of each application:
    >>>> <authentication mode="Forms">
    >>>> <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    >>>> protection="All" timeout="180" path="/"/>
    >>>> </authentication>
    >>>>
    >>>> <machineKey
    >>>>
    >>> validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    >>> A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    >>>> decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    >>>> validation='SHA1' />
    >>>>
    >>>> I got the validation and decryption keys from a utility at
    >>>>
    >>> http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >>>>
    >>>> Might that be the problem?
    >>>>
    >>>> I've been spinning my wheels on this for several days and it doesn't
    >>>> look
    >>>> like it should be this hard. Any ideas?
    >>>>
    >>>> Much obliged.
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Geoff Pennington, Oct 11, 2005
    #6
  7. Re: No change

    I guess you have the cookie name and path identical in each apps web.config
    too.

    Try the putting the decryptionKey explicitly in the machine.config and
    remove the web.config entries to see if that makes a difference. You may
    have to write some code to allow some tracing and debugging to be done.

    In the Application_Authenticate request event within the Global.asax.cs
    file, iterate through any cookies you have in 'app1' and 'app2' to see if
    the cookie is making it that far, and then manually try and decrypt it using
    FormsAuthentication.Decrypt to see if that is successfull (if you get a
    matching cookie).

    I also assume Anonymous auth has been enabled via IIS settings for all
    applications/virtual directories and no file specific settings have been
    applied.

    Re-reading your post, its a system popup like the standard network
    credential popup when you have an unauthenticated windows uer requesting
    access which is not something forms auth will generate and the error may not
    be with the forms authentication part at all.

    Failing all that, I would start "removing" authentication piece by piece
    from the configuration of the IIS vdir and the web.config until the prompt
    dis-appeared. This would then point at the specific piece that is causing
    this credential prompt.

    For example, if you revert to having each app authenticate via forms auth on
    its own site (not via the shared app), this prompt never appears? (On those
    same servers of-course).

    Do all the web apps (shared, app1 and app2) exist in the same app pool?

    --
    - Paul Glavich
    MVP ASP.NET
    http://weblogs.asp.net/pglavich
    ASPInsiders member - http://www.aspinsiders.com


    "Geoff Pennington" <_spam> wrote in message
    news:...
    > Paul -
    > I believe you have the scenario correct. The validation and decryption
    > keys are set to the same value in the web.config of each app (as per my
    > original post). I used a "cut and paste" to make sure they were the same.
    > I am at a loss to know why doing so does not work for me.
    >
    > I have not tried placing the keys in machine.config.
    >
    > Much obliged,
    > Geoff.
    >
    > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in
    > message news:%...
    >> So to clear my understanding, both app1 and app2 are virtual directories,
    >> as is the new 'sharedapp'
    >> which you want to use to control login for those 2 sites. If that is
    >> correct, and you are using forms auth for all these sites, you will need
    >> to provide the validation and decryption key for 'each' application as
    >> wel as ensure that the cookie name is the same for all the apps. This
    >> way, when an auth cookie is encypted and sent as a response to the auth
    >> request, it can be decrypted and accessed by the 'recipient' site,
    >> whether that be 'app1' or 'app2'. Alternatively, you can put the
    >> validation and decryption key explicitly in the machine.config which
    >> means it will be consistent across all applications.
    >>
    >> By default, you will have something like decryptionKey="AutoGenerate,
    >> IsolateApp" which auto-generates the decryption key for each and every
    >> application on the box. Having it only in one application is not enough.
    >>
    >> Hopefully, I have your scenario correct.
    >>
    >> --
    >> - Paul Glavich
    >> MVP ASP.NET
    >> http://weblogs.asp.net/pglavich
    >> ASPInsiders member - http://www.aspinsiders.com
    >>
    >>
    >> "Geoff Pennington" <_spam> wrote in
    >> message news:...
    >>>I added read rights for the ASPNet account and for the IUSR_WebDev (I
    >>>believe WebDev is the server name) . It made no difference. Is
    >>>IUSR_WebDev the "webuser" account you meant?
    >>>
    >>> Much obliged.
    >>>
    >>> "Martin de Jong" <> wrote in message
    >>> news:%...
    >>>>
    >>>> The new application folder needs ACL rights. User ASPNET and the
    >>>> webuser
    >>>> need read rights.
    >>>>
    >>>>
    >>>> "Geoff Pennington" <_spam> schreef in
    >>>> bericht
    >>>> news:%...
    >>>>> I have two applications running on the same server. The URL for one is
    >>>>> http://mydomain/app1/ and the other is http://mydomain/app2/ .
    >>>>> Currently
    >>>> the
    >>>>> login and authentication is handled by each application, but we want
    >>>>> to
    >>>> use
    >>>>> one login screen that will handle authentication for both apps. We
    >>>>> have
    >>>>> created a new application at http://mydomain/sharedApp/ for this
    >>>>> purpose.
    >>>>>
    >>>>> There are a lot of samples on the internet showing how to set up the
    >>>>> web.config and it looks like a simple thing to do. But when I try
    >>>>> using
    >>>> the
    >>>>> shared login (http://mydomain/sharedApp/login.aspx ) I get to the
    >>>>> point in
    >>>>> my code (login.aspx.vb) where it has the Redirect to the home page of
    >>>>> the
    >>>>> requested application, and then I get a system generated popup asking
    >>>>> for
    >>>> an
    >>>>> ID and password. Entering either my network credentials (should not be
    >>>>> necessary, I am already logged onto the network) or my application
    >>>>> defined
    >>>>> credentials does not help. I end with a big ugly "Access denied"
    >>>>> screen.
    >>>>>
    >>>>> Following the examples I have found, I placed the following in the
    >>>>> web.config of each application:
    >>>>> <authentication mode="Forms">
    >>>>> <forms name=".ELECTRONICDD562" loginUrl="/sharedApp/Login.aspx"
    >>>>> protection="All" timeout="180" path="/"/>
    >>>>> </authentication>
    >>>>>
    >>>>> <machineKey
    >>>>>
    >>>> validationKey='9EB85D0934D1D93D7698498D2E198A8892FBD9018A9CC159D6DC69A546DCA
    >>>> A286CE6EAC06DFDE003D8F1394CEDAA709112AB33558CA87377B46DF4CA3A991F51'
    >>>>> decryptionKey='1063568D30161DE2EC969111B901F54B48DB8573B2F4BEE7'
    >>>>> validation='SHA1' />
    >>>>>
    >>>>> I got the validation and decryption keys from a utility at
    >>>>>
    >>>> http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx
    >>>>>
    >>>>> Might that be the problem?
    >>>>>
    >>>>> I've been spinning my wheels on this for several days and it doesn't
    >>>>> look
    >>>>> like it should be this hard. Any ideas?
    >>>>>
    >>>>> Much obliged.
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Paul Glavich [MVP ASP.NET], Oct 13, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brett Porter
    Replies:
    2
    Views:
    811
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  2. Brett Porter
    Replies:
    5
    Views:
    604
    Brett Porter
    Feb 3, 2004
  3. Os
    Replies:
    4
    Views:
    348
  4. Brett Porter
    Replies:
    2
    Views:
    224
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  5. Eric
    Replies:
    2
    Views:
    649
Loading...

Share This Page