Single sign on across domain

Discussion in 'ASP .Net Security' started by Purushottam Khandebharad, May 20, 2006.

  1. Hi,

    I have to implement single sign on between 2 web application, 1st is
    asp.net2.0 web app and 2nd is asp.net 1.1 web app, domains of both the
    applications are diff.

    I have already configured forms authentication for both the
    applications and <<<its working if both the applications are on
    "localhost" " >>> but if I try to use 2nd application on different
    machine, the forms authentication ticket cookie created by first app is
    not recognized by 2nd application.

    P.S.: please be clear that i have used
    1. same forms auth cookie name for both the apps
    2. path is "/" for both
    3. protection is "All" for both apps
    4. Machine keys are same for both apps.

    Configuration and code for bothe apps are as follows
    ---------------------------------------------------------------------------------------
    Asp.net 2.0 App configuration
    ---------------------------------------------------------------------------------------

    <system.web>
    <authentication mode="Forms" >
    <forms name=".AUTH"
    loginUrl="Login.aspx"
    protection="All"
    domain=""
    path="/"
    timeout="20"
    slidingExpiration="true"
    enableCrossAppRedirects="true" />
    </authentication>

    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>

    <machineKey
    validationKey='5C9D7A8F3E336275166075E596F19EB9B478F771C7FE45B65BF6E9B41BA9575F04672CCC4242B2245200CD0E63A8991CA6BFB2D77FE9C5B0D69889359574C5F3'
    decryptionKey='AF96F355CEC57EFD2F996515BF465DD399FAF7B806B2CD55'
    validation='SHA1'
    decryption='3DES' />

    </system.web>

    ---------------------------------------------------------------------------------------
    code on login page login button click
    ---------------------------------------------------------------------------------------

    FormsAuthentication.SetAuthCookie(TextBox1.Text.Trim(), false);

    Response.Redirect(FormsAuthentication.GetRedirectUrl(TextBox1.Text.Trim(),
    false));


    ---------------------------------------------------------------------------------------
    Configuration for asp.net 1.1 application
    ---------------------------------------------------------------------------------------
    <system.web>
    <authentication mode="Forms" >
    <forms name=".AUTH"
    loginUrl="Login.aspx"
    protection="All"
    domain=""
    path="/"
    timeout="20"
    slidingExpiration="true"/>
    </authentication>

    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>

    <machineKey
    validationKey='5C9D7A8F3E336275166075E596F19EB9B478F771C7FE45B65BF6E9B41BA9575F04672CCC4242B2245200CD0E63A8991CA6BFB2D77FE9C5B0D69889359574C5F3'
    decryptionKey='AF96F355CEC57EFD2F996515BF465DD399FAF7B806B2CD55'
    validation='SHA1'/>

    </system.web>

    If anybody thinks that giving domain names (like "aap1.sso.com" and
    "app2.sso.com") will work then let me clear my efforts on that , i
    tried setting domain name for asp.net2.0 app in configuration of forms
    authentication and it accepts domain name only when i use
    cookieless="UseUri" but i am not able to configure domain name on 2nd
    app ( asp.net 1.1) still it fails to authenticate when redirected to
    2nd app( it asks for login again)

    My requirement is bit urgent, it will be helpful if anybody gives me
    solution soon

    Thanks in advance

    Regards,
    Purushottam Khandebharad
    Purushottam Khandebharad, May 20, 2006
    #1
    1. Advertising

  2. In order for the browser to replay the cookie to both apps, the cookie
    domain should be part of a DNS domain that is shared by both apps. Thus, if
    you have app1.yourdomain.com and app2.yourdomain.com, set the cookie domain
    to yourdomain.com and the browser should replay the cookie to both apps when
    visited using those DNS names.

    If the apps don't share some part of a DNS name in common, you won't get
    this to work. This is just how cookies work.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Purushottam Khandebharad" <> wrote in message
    news:...
    > Hi,
    >
    > I have to implement single sign on between 2 web application, 1st is
    > asp.net2.0 web app and 2nd is asp.net 1.1 web app, domains of both the
    > applications are diff.
    >
    > I have already configured forms authentication for both the
    > applications and <<<its working if both the applications are on
    > "localhost" " >>> but if I try to use 2nd application on different
    > machine, the forms authentication ticket cookie created by first app is
    > not recognized by 2nd application.
    >
    > P.S.: please be clear that i have used
    > 1. same forms auth cookie name for both the apps
    > 2. path is "/" for both
    > 3. protection is "All" for both apps
    > 4. Machine keys are same for both apps.
    >
    > Configuration and code for bothe apps are as follows
    > ---------------------------------------------------------------------------------------
    > Asp.net 2.0 App configuration
    > ---------------------------------------------------------------------------------------
    >
    > <system.web>
    > <authentication mode="Forms" >
    > <forms name=".AUTH"
    > loginUrl="Login.aspx"
    > protection="All"
    > domain=""
    > path="/"
    > timeout="20"
    > slidingExpiration="true"
    > enableCrossAppRedirects="true" />
    > </authentication>
    >
    > <authorization>
    > <deny users="?"/>
    > <allow users="*"/>
    > </authorization>
    >
    > <machineKey
    > validationKey='5C9D7A8F3E336275166075E596F19EB9B478F771C7FE45B65BF6E9B41BA9575F04672CCC4242B2245200CD0E63A8991CA6BFB2D77FE9C5B0D69889359574C5F3'
    > decryptionKey='AF96F355CEC57EFD2F996515BF465DD399FAF7B806B2CD55'
    > validation='SHA1'
    > decryption='3DES' />
    >
    > </system.web>
    >
    > ---------------------------------------------------------------------------------------
    > code on login page login button click
    > ---------------------------------------------------------------------------------------
    >
    > FormsAuthentication.SetAuthCookie(TextBox1.Text.Trim(), false);
    >
    > Response.Redirect(FormsAuthentication.GetRedirectUrl(TextBox1.Text.Trim(),
    > false));
    >
    >
    > ---------------------------------------------------------------------------------------
    > Configuration for asp.net 1.1 application
    > ---------------------------------------------------------------------------------------
    > <system.web>
    > <authentication mode="Forms" >
    > <forms name=".AUTH"
    > loginUrl="Login.aspx"
    > protection="All"
    > domain=""
    > path="/"
    > timeout="20"
    > slidingExpiration="true"/>
    > </authentication>
    >
    > <authorization>
    > <deny users="?"/>
    > <allow users="*"/>
    > </authorization>
    >
    > <machineKey
    > validationKey='5C9D7A8F3E336275166075E596F19EB9B478F771C7FE45B65BF6E9B41BA9575F04672CCC4242B2245200CD0E63A8991CA6BFB2D77FE9C5B0D69889359574C5F3'
    > decryptionKey='AF96F355CEC57EFD2F996515BF465DD399FAF7B806B2CD55'
    > validation='SHA1'/>
    >
    > </system.web>
    >
    > If anybody thinks that giving domain names (like "aap1.sso.com" and
    > "app2.sso.com") will work then let me clear my efforts on that , i
    > tried setting domain name for asp.net2.0 app in configuration of forms
    > authentication and it accepts domain name only when i use
    > cookieless="UseUri" but i am not able to configure domain name on 2nd
    > app ( asp.net 1.1) still it fails to authenticate when redirected to
    > 2nd app( it asks for login again)
    >
    > My requirement is bit urgent, it will be helpful if anybody gives me
    > solution soon
    >
    > Thanks in advance
    >
    > Regards,
    > Purushottam Khandebharad
    >
    Joe Kaplan \(MVP - ADSI\), May 20, 2006
    #2
    1. Advertising

  3. if you don't have a contiguous domain namespace - as Joe already pointed
    out - cookies will not work. Cookieless is the only option here.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > In order for the browser to replay the cookie to both apps, the cookie
    > domain should be part of a DNS domain that is shared by both apps.
    > Thus, if you have app1.yourdomain.com and app2.yourdomain.com, set the
    > cookie domain to yourdomain.com and the browser should replay the
    > cookie to both apps when visited using those DNS names.
    >
    > If the apps don't share some part of a DNS name in common, you won't
    > get this to work. This is just how cookies work.
    >
    > Joe K.
    >
    Dominick Baier [DevelopMentor], May 20, 2006
    #3
  4. Thanks Joe Kaplan, i will try your solution.
    Purushottam Khandebharad, May 22, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?S3VsZGVlcA==?=

    Single-Signin across servers in same domain

    =?Utf-8?B?S3VsZGVlcA==?=, Nov 5, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    517
    =?Utf-8?B?S3VsZGVlcA==?=
    Nov 5, 2004
  2. Stian Lavik
    Replies:
    1
    Views:
    693
    Danno
    May 24, 2006
  3. Jimmy
    Replies:
    1
    Views:
    920
    Cowboy \(Gregory A. Beamer\)
    Nov 21, 2006
  4. Jurjen de Groot
    Replies:
    0
    Views:
    310
    Jurjen de Groot
    Mar 17, 2008
  5. Jimmy
    Replies:
    3
    Views:
    2,382
    shimmyshack
    Nov 20, 2006
Loading...

Share This Page