ActiveDirectoryMembershipProvider always redirects to signin page

Question

I'm trying to implement the ActiveDirectoryMembership provider so I can use forms authentication against active directory.

I can browse to the application, and be redirected to the signin page. If I enter the incorrect password I get the correct error. If I enter the correct password it redirects me to the default url (/Secure/Default.aspx), but immediately get redirected back to the signin page. I can see the two redirects because I'm using fiddler. So I know for sure that it is authenticating against AD correctly, but still taking me back to the signin page. I also know that the browser does accept cookies, because I built a test page in the application to prove that. I've included the web.config and relevant code below, just can't figure out what I am missing...

Edit: I have found that if I specify UseUri instead of UseCookies, everything starts working. But I have validated that I can store data in a cookie on one page, and retrieve it on another page, so why wouldn't it work for the authentication piece?

Edit 2 I've also removed my code from the signin page and used the standard login control, same problem.

Web.config file:

<connectionStrings>
    <add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>      
    <authentication mode="Forms">
      <forms name=".ASPXAUTH" 
             path="/FormsAuth"
             loginUrl="~/SignIn.aspx" 
             defaultUrl="~/Secure/Default.aspx" 
             timeout="20" 
             requireSSL="false"
             protection="All"
             slidingExpiration="true"
             cookieless="UseCookies"
             enableCrossAppRedirects="false"/>
    </authentication>

    <authorization>
      <!-- Deny unauthenticated users will cause automatic redirect to the sign in page when using forms authentication. -->
      <deny users="?"/>
      <allow users="*"/>
    </authorization>

    <!-- For non AD passthrough authentication, specify the defaultProvider property -->
    <membership defaultProvider="ActiveDirectoryMembershipProvider">
      <providers>
        <clear/>
        <add name="ActiveDirectoryMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider"
             connectionStringName="ADConnectionString"
             attributeMapUsername="sAMAccountName"/>

       </providers>      
    </membership>
</system.web>

Signin page:

bool bIsValid = System.Web.Security.Membership.ValidateUser(txtUsername.Text, txtPassword.Text);

//Authenticate the user credentials against the default membership provider specified in configuration
if (bIsValid)
{
    System.Web.Security.FormsAuthentication.SetAuthCookie(txtUsername.Text, true);

    System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);

}
else
{
    //display error
    ....
}

Answer 1

The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization> section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:

<connectionStrings>
    <add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>      
    <authentication mode="Forms">
      <forms name=".ASPXAUTH" 
             path="/"
             loginUrl="~/SignIn.aspx" 
             defaultUrl="~/Secure/Default.aspx" 
             timeout="20" 
             requireSSL="false"
             protection="All"
             slidingExpiration="true"
             cookieless="UseCookies"
             enableCrossAppRedirects="false"/>
    </authentication>

    <authorization>
      <allow users="*"/>
    </authorization>

    <!-- For non AD passthrough authentication, specify the defaultProvider property -->
    <membership defaultProvider="ActiveDirectoryMembershipProvider">
      <providers>
        <clear/>
        <add name="ActiveDirectoryMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider"
             connectionStringName="ADConnectionString"
             attributeMapUsername="sAMAccountName"/>

       </providers>      
    </membership>
</system.web>
<location path="Secure">
    <system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

If the /Secure folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" /> in your main <authorization> section.