Forms Authentication across Applications

Question

I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.

I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.

I put the following into the root applications web.config:

<location path="ccnet">
  <system.web>
    <authentication mode="Forms">
        <forms loginUrl="/default.aspx" timeout="5000"/>
    </authentication>
    <authorization>
      <allow users="?"/>
      <deny users="?"/>
    </authorization>        
  </system.web>    
</location>

However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.

I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?

Answer 1

You might also need to put path="/" in the

That was it!

So, Summary, inorder todo this;

In root web.config add:

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />

This must be done because by default it is "AutoGenerate,IsolateApps".

Second, you must name the form Auth cookie the same in both, I did this all in my root, using the location tag:

<authentication mode="Forms">
   <forms name="ccAuth" loginUrl="/default.aspx"  path="/" timeout="5000"/>
</authentication>
<authorization>
   <deny users="?"/>
</authorization>

Finally:

<location path="ccnet">
  <system.web>
    <authentication mode="Forms">
      <forms name="ccAuth" loginUrl="/default.aspx"  path="/" timeout="5000"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>      
  </system.web>    
</location>

Thanks everyone for your help. This was a stumper.

Answer 2

FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:

Firstly, set the Forms Auth "name" the same on all Applications. This is done with:

<authentication mode="Forms">  
    <forms name="{name}" path="/" ...>
</authentication>

Set the "name" to be the same in both applications web.configs.

Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />

According to the docs, thats the default value, but it didnt work for me unless I specified it.