MVC4 / IIS / Forms Authentication SSO issue

Question

I’ve got a weird intermittent issue with MVC4 / IIS / Forms Authentication.

I’ve got a pair of sites that pass control to each other using SSO. Most of the time the handover occurs correctly and the user is redirected to the next site as intended. However, in some cases, the user is asked to log in again, even though valid SSO information was sent across. The SSO method is decorated with the [AllowAnonymous] attribute and the web.config also has a location entry granting access to /account/sso to all users.

It appears to occur when the destination site is being hit for the first time - once the app pool is warmed up, the issue disappears.

Some other points:

1 both sites are .net 4, so there should not be any legacy encryption issues.
2. this issue happens quite rarely (<10% of the time) so the code itself should be sound
3. Hosting is IIS 7.5 on win7x64 locally, and azure - happens in both places
4. Seems to be browser independent

<location path="account/sso">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

[Authorize]
public class AccountController : BaseControllerTestable
{
    public AccountController()
        : base()
    {
    }

    [AllowAnonymous]
    public ActionResult SSO(string AuthToken, string Target)
    {
        //SSO logic here

    }
}

Any ideas?

Answer 1

You have an Authorize attribute on your Controller class which means that your SSO method would have AllowAnonymous and Authorize applied to it. In this instance the Authorize attribute looks like it needs to be removed.