forms authentication across virtual directories

Discussion in 'ASP .Net Security' started by news.microsoft.com, Jun 10, 2005.

  1. Hello Everyone,

    Here is my situation:
    - build a website with a public portion and multiple secured
    applications
    - security information is in active directory (user ids) and a database
    (roles)
    - single-signon is required across all applications

    My problem is i can't seem to get single-signon working across multiple
    virtual directories ... If i logon i can access secured pages within the
    "Logon" virtual directory, but not within other virtual directories ... from
    my understanding, as long as the auth cookie's path is "/", it should be
    accessible across the entire website .... anyone have any idea what i am
    doing wrong? ... here is how i set things up:

    VIRTUAL DIRECTORIES
    - Public (contains links to the secured applications)
    - Logon (if a user access a secured application without logging on, they
    will be redirected here)
    - Application1 (secured application)
    - Application2 (secured application)

    PUBLIC VIRTUAL DIRECTORY
    - anonymous access in IIS
    - web.config has all default setting

    LOGON VIRTUAL DIRECTORY
    - anonymous access in IIS
    - forms authentication

    WEB.CONFIG

    <authentication mode="Forms">
    <forms loginUrl="Default.aspx" name="ldapAuthCookie"
    timeout="60" path="/"></forms>
    </authentication>
    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>

    SET AUTH COOKIE CODE (executed when the Logon button is clicked):

    Dim authTicket As FormsAuthenticationTicket = New
    FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now,
    DateTime.Now.AddMinutes(60), False, "", FormsAuthentication.FormsCookiePath)
    Dim encryptedTicket As String =
    FormsAuthentication.Encrypt(authTicket)
    Dim authCookie As HttpCookie = New
    HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    Response.Cookies.Add(authCookie)
    Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
    False))

    APPLICATION VIRTUAL DIRECTORIES
    - anonymous access in IIS
    - forms authentication

    WEB.CONFIG

    <authentication mode="Forms">
    <forms loginUrl="/Logon /Default.aspx"
    name="ldapAuthCookie"></forms>
    </authentication>
    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>


    any help would be appreciated

    thanks,
    john paddington
     
    news.microsoft.com, Jun 10, 2005
    #1
    1. Advertising

  2. news.microsoft.com

    Brock Allen Guest

    You need to configure the <machineKey> element for each virtual directory
    so they match:

    http://msdn.microsoft.com/library/d...ef/html/gngrfmachinekeysection.asp?frame=true

    And FWIW, some info from the P&P that essentially says the same (but there's
    a lot more info too):

    http://msdn.microsoft.com/library/d...en-us/dnnetsec/html/CL_SecuAsp.asp?frame=true

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > Hello Everyone,
    >
    > Here is my situation:
    > - build a website with a public portion and multiple secured
    > applications
    > - security information is in active directory (user ids) and a
    > database
    > (roles)
    > - single-signon is required across all applications
    > My problem is i can't seem to get single-signon working across
    > multiple virtual directories ... If i logon i can access secured pages
    > within the "Logon" virtual directory, but not within other virtual
    > directories ... from my understanding, as long as the auth cookie's
    > path is "/", it should be accessible across the entire website ....
    > anyone have any idea what i am doing wrong? ... here is how i set
    > things up:
    >
    > VIRTUAL DIRECTORIES
    > - Public (contains links to the secured applications)
    > - Logon (if a user access a secured application without logging
    > on, they
    > will be redirected here)
    > - Application1 (secured application)
    > - Application2 (secured application)
    > PUBLIC VIRTUAL DIRECTORY
    > - anonymous access in IIS
    > - web.config has all default setting
    > LOGON VIRTUAL DIRECTORY
    > - anonymous access in IIS
    > - forms authentication
    > WEB.CONFIG
    >
    > <authentication mode="Forms">
    > <forms loginUrl="Default.aspx" name="ldapAuthCookie"
    > timeout="60" path="/"></forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > <allow users="*" />
    > </authorization>
    > SET AUTH COOKIE CODE (executed when the Logon button is
    > clicked):
    >
    > Dim authTicket As FormsAuthenticationTicket = New
    > FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now,
    > DateTime.Now.AddMinutes(60), False, "",
    > FormsAuthentication.FormsCookiePath)
    > Dim encryptedTicket As String =
    > FormsAuthentication.Encrypt(authTicket)
    > Dim authCookie As HttpCookie = New
    > HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    > Response.Cookies.Add(authCookie)
    >
    > Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
    > False))
    > APPLICATION VIRTUAL DIRECTORIES
    > - anonymous access in IIS
    > - forms authentication
    > WEB.CONFIG
    >
    > <authentication mode="Forms">
    > <forms loginUrl="/Logon /Default.aspx"
    > name="ldapAuthCookie"></forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > <allow users="*" />
    > </authorization>
    > any help would be appreciated
    >
    > thanks,
    > john paddington
     
    Brock Allen, Jun 10, 2005
    #2
    1. Advertising

  3. thanks ... worked like a charm


    "Brock Allen" <> wrote in message
    news:...
    > You need to configure the <machineKey> element for each virtual directory
    > so they match:
    >
    > http://msdn.microsoft.com/library/d...ef/html/gngrfmachinekeysection.asp?frame=true
    >
    > And FWIW, some info from the P&P that essentially says the same (but
    > there's a lot more info too):
    >
    > http://msdn.microsoft.com/library/d...en-us/dnnetsec/html/CL_SecuAsp.asp?frame=true
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >> Hello Everyone,
    >>
    >> Here is my situation:
    >> - build a website with a public portion and multiple secured
    >> applications
    >> - security information is in active directory (user ids) and a
    >> database
    >> (roles)
    >> - single-signon is required across all applications
    >> My problem is i can't seem to get single-signon working across
    >> multiple virtual directories ... If i logon i can access secured pages
    >> within the "Logon" virtual directory, but not within other virtual
    >> directories ... from my understanding, as long as the auth cookie's
    >> path is "/", it should be accessible across the entire website ....
    >> anyone have any idea what i am doing wrong? ... here is how i set
    >> things up:
    >>
    >> VIRTUAL DIRECTORIES
    >> - Public (contains links to the secured applications)
    >> - Logon (if a user access a secured application without logging
    >> on, they
    >> will be redirected here)
    >> - Application1 (secured application)
    >> - Application2 (secured application)
    >> PUBLIC VIRTUAL DIRECTORY
    >> - anonymous access in IIS
    >> - web.config has all default setting
    >> LOGON VIRTUAL DIRECTORY
    >> - anonymous access in IIS
    >> - forms authentication
    >> WEB.CONFIG
    >>
    >> <authentication mode="Forms">
    >> <forms loginUrl="Default.aspx" name="ldapAuthCookie"
    >> timeout="60" path="/"></forms>
    >> </authentication>
    >> <authorization>
    >> <deny users="?" />
    >> <allow users="*" />
    >> </authorization>
    >> SET AUTH COOKIE CODE (executed when the Logon button is
    >> clicked):
    >>
    >> Dim authTicket As FormsAuthenticationTicket = New
    >> FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now,
    >> DateTime.Now.AddMinutes(60), False, "",
    >> FormsAuthentication.FormsCookiePath)
    >> Dim encryptedTicket As String =
    >> FormsAuthentication.Encrypt(authTicket)
    >> Dim authCookie As HttpCookie = New
    >> HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    >> Response.Cookies.Add(authCookie)
    >>
    >> Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
    >> False))
    >> APPLICATION VIRTUAL DIRECTORIES
    >> - anonymous access in IIS
    >> - forms authentication
    >> WEB.CONFIG
    >>
    >> <authentication mode="Forms">
    >> <forms loginUrl="/Logon /Default.aspx"
    >> name="ldapAuthCookie"></forms>
    >> </authentication>
    >> <authorization>
    >> <deny users="?" />
    >> <allow users="*" />
    >> </authorization>
    >> any help would be appreciated
    >>
    >> thanks,
    >> john paddington

    >
    >
    >
     
    news.microsoft.com, Jun 10, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeffry van de Vuurst
    Replies:
    2
    Views:
    548
    Jeffry van de Vuurst
    Jul 30, 2003
  2. =?Utf-8?B?TmF0aGFuVg==?=

    Forms Authentication across directories

    =?Utf-8?B?TmF0aGFuVg==?=, Oct 14, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    412
    =?Utf-8?B?U2FyYXZhbmE=?=
    Oct 14, 2004
  3. Jerry Morton
    Replies:
    1
    Views:
    585
    Mohamed El Ashmawy
    Oct 14, 2004
  4. =?Utf-8?B?TGFzc2UgTmlsc3Nvbg==?=

    Multiple bin-directories with virtual directories?

    =?Utf-8?B?TGFzc2UgTmlsc3Nvbg==?=, Nov 9, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    839
    =?Utf-8?B?TGFzc2UgTmlsc3Nvbg==?=
    Nov 9, 2004
  5. Paul F
    Replies:
    4
    Views:
    646
    Mark Fitzpatrick
    Jun 25, 2008
Loading...

Share This Page