Problem Sharing ASP.NET Forms Authentication or A Tale of Two Cryptography Cores

We have multiple web applications on our server farm that share forms authentication.  This makes it possible to have a single login page / functionality that can be shared between the applications.  In order to allow the encrypted forms authentication cookie to be shared between these applications the web.config needs to be setup in the following way:

  • The MachineKey section needs to be the same in both applications or shared by a higher level web.config.  Specifically these attributes need to match between the two: validationKey, validation, decryptionKey, and decryption.
  • The forms authentication sections needs to have matching attributes: name, protection, and path.

These instructions seem pretty straight forward and are actually quite easy to set up.  Tip: It’s a good idea on a web farm to use a common Machine Key to allow authentication cookies to be shared across severs as well as the sharing of other encrypted resources such as viewstate encryption and validation. 

Sharing authentication cookies between applications is great when it works, but when it doesn’t it can be rather difficult to troubleshoot.  There wasn’t a lot of information in the logs.  In our case we were seeing the following error in the application event log of the server:

Event code: 4005 – Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

Hmm…  this wasn’t a lot to go on, so I started researching.  After several hours of troubleshooting and research I finally discovered why the authentication cookie was not being correctly decrypted.

The root of our issue was related to the new cryptographic core in ASP.NET 4.5.  The article below discusses the details of these changes:

http://blogs.msdn.com/b/webdev/archive/2012/10/22/cryptographic-improvements-in-asp-net-4-5-pt-1.aspx

The improvements to the cryptography offer significant security enhancements and are welcome improvement in the new version of ASP.NET.  However, the default setting differences between old and new ASP.NET templates did cause this issue which took a bit of research to resolve.

One of the ASP.NET applications we wanted to share authentication with was an older application that had been created in a previous version of the framework and upgraded to 4.5.  The other was a newer application that had been created targeting the 4.5 framework.  The new ASP.NET project templates have the following node added to the web.config which I was able to locate in my web.config:

<httpRuntime targetFramework=”4.5″ />

One impact of this node is that the application begins to use the new version of the cryptography Core.  This meant that the new and old applications were using different cryptography cores causing them to be unable to share / decrypt the authentication cookie.   Once I added this node to the older application’s web.config the encryption cookie sharing worked great.

You can also set the encryption core version with this attribute on the machine key:

compatibilityMode=”Framework45”

 

 

2 thoughts on “Problem Sharing ASP.NET Forms Authentication or A Tale of Two Cryptography Cores

  1. Hey great article.. after looking at and trying all the stuff on stackoverflow, and the various MS forums, and your compatabilityMode suggestion did the trick…. authenticate form asp.net forms app to a MVC service same domain, different subdomains. Thanks! Fred

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s