Forms based authentication not working between .Net 2.0 and .Net 4.0 application

by

I have several web applications running on an Windows Server 2003 with IIS 6.0.

The applications are running under Asp.net 2.0.

Recently I have installed a MVC 3 Web application which is in it’s nature asp.net 4 based. The forms ticket is not recocnized in this new application.

I have the same machineKey settings in the machine.config files of the different asp.net versions that have been created using this link: http://aspnetresources.com/tools/machineKey

The configuration in the login web application is like this:

  <authentication mode="Forms">
    <forms name=".WEBAUTH"
         loginUrl="login.aspx"
         protection="None"
         slidingExpiration="true"
         enableCrossAppRedirects="false"     
         timeout="43200"     
         path="/" />
  </authentication>

And accordingly the configuration of the mvc app is:

  <authentication mode="Forms">
    <forms name=".WEBAUTH"
         loginUrl="http://path2theloginapp/login.aspx"
         protection="None"
         slidingExpiration="true"
         enableCrossAppRedirects="false"     
         timeout="43200"     
         path="/" />
  </authentication>

  <authorization>
    <deny users="?" />
    <allow users="*" />
  </authorization>

The login works, but the mvc application always redirects back to the login page.

Now if i change the asp.net Version of the login web application in IIS configuration to asp.net 4.0, it works. But then all the other applications running on asp.net 2 no more works.

Has anybody solved formsbased authentication in a similar situation?

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I had to go the long way and opened a support case with Microsoft.

As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:

http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.

This updates fixed forms-based authentication without reconfiguration of the involved web applications.

Method 2

It’s one of the breaking changes in ASP.NET 4.0:

Default Hashing Algorithm Is Now HMACSHA256

ASP.NET uses both encryption and hashing algorithms to help secure
data such as forms authentication cookies and view state. By default,
ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on
cookies and view state. Earlier versions of ASP.NET used the older
HMACSHA1 algorithm.

Your applications might be affected if you run mixed ASP.NET
2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an
ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the
following setting in the Web.config file:

<machineKey validation="SHA1" />


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x