Menu
I have several web applications running on an Windows Server 2003 with IIS 6.0.
The applications are running under Asp.net 2.0.
Recently I have installed a MVC 3 Web application which is in it's nature asp.net 4 based. The forms ticket is not recocnized in this new application.
I have the same machineKey settings in the machine.config files of the different asp.net versions that have been created using this link: http://aspnetresources.com/tools/machineKey
The configuration in the login web application is like this:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
And accordingly the configuration of the mvc app is:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="http://path2theloginapp/login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
The login works, but the mvc application always redirects back to the login page.
Now if i change the asp.net Version of the login web application in IIS configuration to asp.net 4.0, it works. But then all the other applications running on asp.net 2 no more works.
Has anybody solved formsbased authentication in a similar situation?
530
You can use the Forms Authentication setting, displayed under the Security > Authenticated Access section of the Internet Information Services view for a website, to set forms authentication on web applications. Set the Forms Authentication option to Yes to enable forms authentication.
Protecting static file types using forms authentication By default, forms authentication protects only ASPX pages and any other . NET extensions. You can configure forms authentication to protect other static extensions such as .
To change the authentication type to forms authentication, then, we need to modify the <authentication> element's mode attribute to Forms.
I had to go the long way and opened a support case with Microsoft.
As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.
This updates fixed forms-based authentication without reconfiguration of the involved web applications.
140
It's one of the breaking changes in ASP.NET 4.0:
Default Hashing Algorithm Is Now HMACSHA256
ASP.NET uses both encryption and hashing algorithms to help secure data such as forms authentication cookies and view state. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.
Your applications might be affected if you run mixed ASP.NET 2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting in the Web.config file:
<machineKey validation="SHA1" />
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
