Forms Authentication across Applications

Question

I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.

I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.

I put the following into the root applications web.config:

<location path="ccnet">
  <system.web>
    <authentication mode="Forms">
        <forms loginUrl="/default.aspx" timeout="5000"/>
    </authentication>
    <authorization>
      <allow users="?"/>
      <deny users="?"/>
    </authorization>        
  </system.web>    
</location>

However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.

I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?

Answer 1

Is there a reason you are using Forms authentication and not Windows authentication?

Answer 2

you are allowing all unauthenticated. You might be looking for something like this

<deny users="?"/>

Answer 3

Is there a reason you are using Forms authentication and not Windows authentication?

Yes, the login is tied to the users Source Control credentials, we actually make an API call to verify this. We don't want to tie the login to the users NT ID.

Answer 4

you are allowing all unauthenticated. You might be looking for something like this

<deny users="?"/>
<allow users="*"/>

That does not work, it still allows all users, (Authenticated or not) to access.

Answer 5

That does not work, it still allows all users, (Authenticated or not) to access.

I would think you could even omit the allow tag, as it's redundant. Just:

<deny users="?"/>

Answer 6

I would think you could even omit the allow tag, as it's redundant. Just:

<deny users="?"/>

Doing that prevents me from accessing the internal app unauthorized, however authorization does not appear to work.

This gets me thinking that perhaps the issue is that I'm not setting the authorization correct. This is the first time I've used Forms Auth, I usually roll my own, but because this was so simple I thought I'd use it (Haha! Think again!)

Here is how the authorization is done:

if (scUser.Authenticate(txtUserName.Text, txtPassword.Text))                    
{
    FormsAuthentication.SetAuthCookie(txtUserName.Text, false);

    if (Request.QueryString["ReturnUrl"] != null)
    {
        System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
    }
    else
    {
        Response.Redirect("/configPanel/");
    }
}
else
{
    lblLoginMessage.Text = "Unable to login with the credentials provided.";
    lblLoginMessage.Visible = true;
}

Answer 7

FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:

Firstly, set the Forms Auth "name" the same on all Applications. This is done with:

<authentication mode="Forms">  
    <forms name="{name}" path="/" ...>
</authentication>

Set the "name" to be the same in both applications web.configs.

Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />

According to the docs, thats the default value, but it didnt work for me unless I specified it.

Answer 8

Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...

If CustomAuthenticate(Login1.UserName, Login1.Password) Then
    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Else
    e.Authenticated = False
End If

But that's using the Microsoft Way

Answer 9

@Ch00k:

I added both of your suggestions and it still does not authenticate :(

CCNet uses NVelocity, so *.ASPX requests go directly to a custom HTTPHandler, I'm wondering if that is what is fouling up, but I don't suspect it is, because I would think it would break authentication totally (IE, it would let you in), not partially.

Answer 10

Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...

It sits in the PageLoad event handler.

There is no need to use the custom login control to do this.

Answer 11

You might also need to put path="/" in the <forms tag(s) I think. Sorry, its been a while since i've done this

Answer 12

What is the file extension for this cruise control application? If it is not a file type that ASP.NET is registered to handle (e.g. jsp, java, etc), then ASP.NET will not act as an authentication mechanism (on IIS 5 and 6). For example, for static html files, unless you have wildcard mapping implemented, IIS does all the authentication and authorization and serves up the file without involving the ASP.NET isapi extension. IIS7 can use the new integrated pipeline mode to intercept all requests. For IIS6, you'll want to look at Scott Gu's article on the matter.