Single Sign On with Forms Authentication

Question

I am trying to set up Single sign on for 2 websites that reside on the same domain

e.g.

http://mydomain (top level site that contains a forms-auth login page)

http://mydomain/admin (seperately developed website residing in a Virtual Application within the parent website)

Have read a few articles on Single Sign on e.g.

http://www.codeproject.com/KB/aspnet/SingleSignon.aspx

http://msdn.microsoft.com/en-us/library/dd577079.aspx

And they seem to suggest it is just a case of having the same machinekey section in each web.config so that the cookie encryption and decryption is the same for each application

I have set this up and I never get prompted for credentials in the sub-website (the virtual application)

I always get prompted in the parent site.

In addition to having the same machinekey I've also tried adding the same <authentication> and <authorisation> elements

Any idea what I could be missing?

Answer 1

Your forms section of web.config needs to be the same as well.

Quote from - Forms Authentication Across Applications

To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation key values and the encryption scheme and validation scheme used for authentication tickets (cookie data) must be the same. If the settings do not match, authentication tickets cannot be shared.