Sharing Authentication Across ASP.NET Applications

Discussion in 'ASP .Net' started by Tod Birdsall, MCSD for .NET, Oct 14, 2005.

  1. Hi All,

    I have two ASP.NET applications which I am trying to have share forms
    authentication. But I am running into problems.

    App A is an ASP.NET 2.0 Beta 2 application. App B is an ASP.NET 1.1
    application (Telligent's Community Server) compiled with VS.NET 2003.

    App B runs in a virtual sub-directory of App A. Both applications run
    fine. Both site's ASP.NET tabs are set appropriately (A = 2.0.5X B =
    1.1.X)

    I have done a lot of research and I believe both applications are setup
    to share the same authentication cookie.

    Here are the steps I took:

    1. Added identical <machineKey> to the root web.config of each app.
    Example:

    <!-- Keys shortened for brevity -->
    <machineKey
    validationKey="5FC1F907ADE8C5800DB3B1F195B8E...EADFF5E78070CAA"
    decryptionKey="7D27FEC08...CF3771C74CE3"
    validation="3DES" />

    2. Changed <authentication> in each root web.config to be identical.
    Example:

    <authentication mode="Forms">
    <forms name=".CommunityServer"
    loginUrl="security/Login.aspx"
    protection="All" timeout="20"
    path="/" />
    </authentication>

    3. In the App A web.config I added the following:

    <location path="main">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>

    4. In the App B web.config I added the following:

    <authorization>
    <deny users="?" />
    </authorization>

    According to the sites I have read on how to do this, the above changes
    should be enough. I try the following:

    1. When attempting to get to the /main directory of App A, I am
    redirected to the login.

    2. I successfully login. Using Tracing, I can see that my
    ..CommmunityServer cookie has been set.

    3. I attempt to get to the virtual sub-directory (App B). I am
    redirected to the login page.
    4. Without logging in again, I go to the /main directory of App A and I
    get there without being redirected. Viewing the Tracing output on the
    page, I can see that my cookie is still set.

    I have put the following code into the Application_AuthenticateRequest
    event handler of App B's Global.asax file:

    ----------BEGIN CODE-------------------------
    protected void Application_AuthenticateRequest(Object sender, EventArgs
    e)
    {
    bool cookieFound = false;

    HttpCookie authCookie = null;
    HttpCookie cookie;
    string cookieNames = "";
    for(int i=0; i < Request.Cookies.Count; i++)
    {
    cookie = Request.Cookies;

    cookieNames = cookieNames + cookie.Name + "\n";
    if (cookie.Name == FormsAuthentication.FormsCookieName)
    {
    cookieFound = true;
    authCookie = cookie;
    break;
    }
    }

    // If the cookie has been found, it means it has been issued from
    either
    // the windows authorisation site, is this forms auth site.
    if (cookieFound)
    {
    // Extract the roles from the cookie, and assign to our current
    principal, which is attached to the
    // HttpContext.
    FormsAuthenticationTicket winAuthTicket =
    FormsAuthentication.Decrypt(authCookie.Value);
    string[] roles = winAuthTicket.UserData.Split(';');
    FormsIdentity formsId = new FormsIdentity(winAuthTicket);
    GenericPrincipal princ = new GenericPrincipal(formsId,roles);
    HttpContext.Current.User = princ;
    }
    else
    {
    // No cookie found, we can redirect to the Windows auth site if we
    want, or let it pass through so
    // that the forms auth system redirects to the logon page for us.
    throw new ApplicationException(@"Invalid login from here.
    FormsCookieName:" + FormsAuthentication.FormsCookieName + "\n" +
    "CookieNames:" + cookieNames+ "\n");
    }

    }
    -----------------END CODE----------------------------

    The cookie with the name ".CommunityServer" is found, but when the line
    calling "FormsAuthentication.Decrypt(authCookie.Value);" executes, I
    get the following error:

    -----------BEGIN ERROR-------------------------------
    Bad Data.
    Description: An unhandled exception occurred during the execution of
    the current web request. Please review the stack trace for more
    information about the error and where it originated in the code.

    Exception Details: System.Security.Cryptography.CryptographicException:
    Bad Data.

    Source Error:


    Line 100: // HttpContext.
    Line 101: //throw new ApplicationException("CookieName: " +
    authCookie.Name + "\n" + authCookie.Value);
    Line 102: FormsAuthenticationTicket winAuthTicket =
    FormsAuthentication.Decrypt(authCookie.Value);
    Line 103: string[] roles = winAuthTicket.UserData.Split(';');
    Line 104: FormsIdentity formsId = new FormsIdentity(winAuthTicket);


    Source File: c:\dev\cs_bsinterns\web\global.asax.cs Line: 102

    Stack Trace:


    [CryptographicException: Bad Data.
    ]
    System.Security.Cryptography.CryptoAPITransform._DecryptData(IntPtr
    hKey, Byte[] rgb, Int32 ib, Int32 cb, Boolean fDone) +0

    System.Security.Cryptography.CryptoAPITransform.TransformFinalBlock(Byte[]
    inputBuffer, Int32 inputOffset, Int32 inputCount) +805
    System.Security.Cryptography.CryptoStream.FlushFinalBlock() +40
    System.Web.Configuration.MachineKey.EncryptOrDecryptData(Boolean
    fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length) +139
    System.Web.Security.FormsAuthentication.Decrypt(String
    encryptedTicket) +114
    CommunityServerWeb.Global.Application_AuthenticateRequest(Object
    sender, EventArgs e) in c:\dev\cs_bsinterns\web\global.asax.cs:102

    System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
    +59
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
    completedSynchronously) +87




    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:1.1.4322.573;
    ASP.NET Version:1.1.4322.573
    -----------END ERROR---------------------------------

    Any help that you can provide would be much appreciated. I have been
    working on this issue for longer than I care state. :)

    Thank you.

    Tod Birdsall, MCSD for .NET
    http://tod1d.blogspot.com
     
    Tod Birdsall, MCSD for .NET, Oct 14, 2005
    #1
    1. Advertising

  2. I was able to solve this issue with a workaround that uses a manualy
    generated cookie rather than the cookie created by the
    FormsAuthentication class.

    If you need more details on this, please feel free to contact me
    regarding it.

    Tod Birdsall, MCSD for .NET
    blog: http://tod1d.blogspot.com
     
    Tod Birdsall, MCSD for .NET, Oct 19, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JC
    Replies:
    1
    Views:
    570
  2. Cowboy \(Gregory A. Beamer\)

    Sharing Session variables across applications

    Cowboy \(Gregory A. Beamer\), Dec 18, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    6,417
    Alvin Bruney
    Dec 19, 2003
  3. Mothish K

    Sharing variables across 2 Applications

    Mothish K, Jun 15, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    387
    Patrice
    Jun 15, 2004
  4. =?Utf-8?B?RmFyaWJh?=

    Forms Authentication Across Applications

    =?Utf-8?B?RmFyaWJh?=, May 16, 2007, in forum: ASP .Net
    Replies:
    4
    Views:
    396
    =?Utf-8?B?RmFyaWJh?=
    May 16, 2007
  5. Fresno Bob

    Sharing session across applications

    Fresno Bob, Jan 14, 2008, in forum: ASP .Net
    Replies:
    3
    Views:
    408
    Fresno Bob
    Jan 15, 2008
Loading...

Share This Page