Forms Authentication across Applications

Question

I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.

I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.

I put the following into the root applications web.config:

<location path="ccnet">
  <system.web>
    <authentication mode="Forms">
        <forms loginUrl="/default.aspx" timeout="5000"/>
    </authentication>
    <authorization>
      <allow users="?"/>
      <deny users="?"/>
    </authorization>        
  </system.web>    
</location>

However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.

I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?

Answer 1

You might also need to put path="/" in the <forms tag(s) I think. Sorry, its been a while since i've done this

Answer 2

You might also need to put path="/" in the

That was it!

So, Summary, inorder todo this;

In root web.config add:

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />

This must be done because by default it is "AutoGenerate,IsolateApps".

Second, you must name the form Auth cookie the same in both, I did this all in my root, using the location tag:

<authentication mode="Forms">
   <forms name="ccAuth" loginUrl="/default.aspx"  path="/" timeout="5000"/>
</authentication>
<authorization>
   <deny users="?"/>
</authorization>

Finally:

<location path="ccnet">
  <system.web>
    <authentication mode="Forms">
      <forms name="ccAuth" loginUrl="/default.aspx"  path="/" timeout="5000"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>      
  </system.web>    
</location>

Thanks everyone for your help. This was a stumper.

Answer 3

FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:

Firstly, set the Forms Auth "name" the same on all Applications. This is done with:

<authentication mode="Forms">  
    <forms name="{name}" path="/" ...>
</authentication>

Set the "name" to be the same in both applications web.configs.

Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />

According to the docs, thats the default value, but it didnt work for me unless I specified it.

Answer 4

That does not work, it still allows all users, (Authenticated or not) to access.

I would think you could even omit the allow tag, as it's redundant. Just:

<deny users="?"/>

Answer 5

Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...

If CustomAuthenticate(Login1.UserName, Login1.Password) Then
    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Else
    e.Authenticated = False
End If

But that's using the Microsoft Way

Answer 6

you are allowing all unauthenticated. You might be looking for something like this

<deny users="?"/>

Answer 7

What is the file extension for this cruise control application? If it is not a file type that ASP.NET is registered to handle (e.g. jsp, java, etc), then ASP.NET will not act as an authentication mechanism (on IIS 5 and 6). For example, for static html files, unless you have wildcard mapping implemented, IIS does all the authentication and authorization and serves up the file without involving the ASP.NET isapi extension. IIS7 can use the new integrated pipeline mode to intercept all requests. For IIS6, you'll want to look at Scott Gu's article on the matter.

Answer 8

None of the above suggestions worked for me. Turns out in the root web.config set:

<forms loginUrl="/pages/login.aspx" enableCrossAppRedirects="true"...

and make sure that both the root and child app have in system.web

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1"/>

which turns off the IsolateApps default.

Then everything just worked!