Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asp.net single sign on not working

After a code release, single sign on between two of our sites stopped working. Both sites are run on different subdomains of the same domain. Subdomain x was being used as the sign on server for all other applications. I can't quite wrap my head around why this would be the case. In web.config for both sites the machine and decryption keys are the same. Validation is set to SHA1 and decryption is set to AES. The authentication config reads:

X:

<authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="2880" protection="All" name="Domain.ASPXAUTH" path="/" domain="domain.com" />
</authentication>

Y:

<authentication mode="Forms">
    <forms loginUrl="https://x.domain.com/Account/LogOn" timeout="2880" protection="All" name="Domain.ASPXAUTH" path="/" domain="domain.com" defaultUrl="http://x.domain.com/" />
</authentication>

The SSO was working fine up until this morning. I'm not sure exactly what was changed with the code release and am having issues figuring it out. The two applications are currently running on different app pools (one is x is .net 4.0 while y is .net 2.0) and when I switched them to using the same app pool the SSO worked. However, this is not an option as one of the libraries used in the other site only runs on .NET 2.0. I also tried forcing the machine and decryption keys and validation and decryption algorithms in IIS7 manager at both the top and website levels with no success.

When trying to go to y.domain.com after going to x.domain.com the browser is redirected back to the login page and the following exception is in the event log:

Forms authentication failed for the request. Reason: The ticket supplied was invalid.

Any ideas?

like image 469
illvm Avatar asked Jun 16 '11 13:06

illvm


People also ask

Why is single sign on not working?

Let's do a quick check of the browser settings to ensure you can leverage SSO from browsers. Log into the client machine where the issue is happening. Under Advanced, check the state of Enable Integrated Windows Authentication. Ensure that the option is enabled or checked.


1 Answers

Do you suspect the config has changed as well? Because you really need this in the Forms section:

enableCrossAppRedirects="true"

EDIT: Also make sure that they are using the same encryption keys:

<system.web>
   <machineKey validationKey="BLAHBLAHBLAHBLAH" decryptionKey="BLAHBLAHBLAH" validation="SHA1" decryption="AES"/>
</system.web>

It sounds like the redirection is working ok and it's throwing an error when trying to read the ticket.

like image 99
Mantorok Avatar answered Oct 11 '22 13:10

Mantorok