forms authentication across multiple web servers

[Roel]

Hi,

I want to provide a single sign on for 2 web applications hosted in
different environments.
I set the machinekey to the same value in both web.config files (also i set
them to the same value in the machine.config files). The <authentication
mode="Forms" > section is exactly the same in both applications:


<authentication mode="Forms" >
<forms name=".EuphAc" loginUrl="Main/loginForm.aspx" protection="All"
timeout="60" />
</authentication>

The only time this works is if I do it on the same physical machine: 2 web
applications sharing the same machinekey in web.config section and
<authentication mode="Forms" > section.

If I try the same moving application 2 to another server (including the
web.config file which stays the same), or to localhost, I can login on one
system but it does not login on the other system.

(Strange thing was it sometimes seemed(!) that it worked but after 1 second
it redirected me back to the login page.)

I hope I'm somewhat clear.....

What am I doing wrong ?

Any help much appreciated!

Roel

 

[Dominick Baier [DevelopMentor]]

Hello Roel,

what are the names of the machines from a client (=IE) perspective...

A RFC compliant browser does not send a cookie form serverA.domain.com to
serverB.domain.com - you have to adjust the domain attribute in the <forms>
configuration to ".domain.com" - this means IE sends the cookie to all servers
under the "domain.com" namespace.

though i am not sure if this is already there in 1.1 - otherwise issue the
cookie manually and set the .Domain property

 

[Roel]

Hi Dominick,

Thanks for your answer.

The domain names differ completely:

Server 1=
dev.xxx.biz
Server 2=
devnet.yyy.be

I will check the domain attribute.
should I set domain= .yyy.be in the web.config of server 2 and xxx.biz in
the web.config of server 1 ?

Roel

 

[Dominick Baier [DevelopMentor]]

Hello Roel,

this only works if the servers are in a contiguous domain namespace...sorry.
You are out of luck here.

ASP.NET 2.0 supports cookieless forms authentication. Your scenario would
work there.

 

[Roel]

Too Bad ...
One application would in the end be 2.0 and the other 1.1, but they would be
in other domain namespaces.

Looks like i have some coding myself to do to make this possible.
Do you have any suggestions of passing the credentials in a secure way so
that they wouldn't have to login twice ?

Thanks.

 

[Dominick Baier [DevelopMentor]]

Hello Roel,

you could emulate the cookieless behavior.

redirect to a page which does the login for you passing the authentication
ticket as a query string (encrypted, MAC protected of course)

have a look at the FormsAuthenticationTicket class.


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Too Bad ...
One application would in the end be 2.0 and the other 1.1, but they
would be
in other domain namespaces.
Looks like i have some coding myself to do to make this possible.
Do you have any suggestions of passing the credentials in a secure way
so
that they wouldn't have to login twice ?
Thanks.

Hello Roel,

this only works if the servers are in a contiguous domain
namespace...sorry. You are out of luck here.

ASP.NET 2.0 supports cookieless forms authentication. Your scenario
would work there.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Dominick,

Thanks for your answer.

The domain names differ completely:

Server 1=
dev.xxx.biz
Server 2=
devnet.yyy.be
I will check the domain attribute.
should I set domain= .yyy.be in the web.config of server 2 and
xxx.biz
in
the web.config of server 1 ?
Roel
"Dominick Baier [DevelopMentor]"

Hello Roel,

what are the names of the machines from a client (=IE)
perspective...

A RFC compliant browser does not send a cookie form
serverA.domain.com to serverB.domain.com - you have to adjust the
domain attribute in the <forms> configuration to ".domain.com" -
this means IE sends the cookie to all servers under the
"domain.com" namespace.

though i am not sure if this is already there in 1.1 - otherwise
issue the cookie manually and set the .Domain property

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

I want to provide a single sign on for 2 web applications hosted
in
different environments.
I set the machinekey to the same value in both web.config files
(also
i set
them to the same value in the machine.config files). The
<authentication
mode="Forms" > section is exactly the same in both applications:
<authentication mode="Forms" >
<forms name=".EuphAc" loginUrl="Main/loginForm.aspx"
protection="All"
timeout="60" />
</authentication>
The only time this works is if I do it on the same physical
machine:
2
web applications sharing the same machinekey in web.config section
and
<authentication mode="Forms" > section.
If I try the same moving application 2 to another server
(including
the web.config file which stays the same), or to localhost, I can
login on one system but it does not login on the other system.
(Strange thing was it sometimes seemed(!) that it worked but after
1 second it redirected me back to the login page.)

I hope I'm somewhat clear.....

What am I doing wrong ?

Any help much appreciated!

Roel