A: 

I finally solve this problem by change the application pool user to a local user. the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).

Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.

Thanks all you guys and I am so glad to share my solution with you.

Aaron Wang  2010-02-23 09:27:04
ok, finally, I had to say, it is because of the domain user I used for the application pool does not have some required access rights, but I don't know what kind of rights. can anyone we find that also send me an email ([email protected])?
Aaron Wang  2010-02-26 06:12:42
A: 

There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5

If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.

So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.

Kristoffer Vidmo  2010-02-23 16:29:43
what do you mean "separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/"? if I use http://app1.domain.com and http://app2.domain.com, I still have this problem.And what kind of special access rights required if I use a domain user?
Aaron Wang  2010-02-24 05:33:26
First we used one website (domain.com) with two virtual directories, app1 and app2. We had to split them into two websites with different domains (app1domain.com and app2domain.com) to get it to work. You probably need two app pools as well.We never tested different access rights or users but since you got it to work I figured it was a valid solution.
Kristoffer Vidmo  2010-02-24 09:22:07
sure, I tried to create two different pools for app1 and app2 with a domain user, but I still got the problem, If I use a domain user who is a administrator then it is the same as use ApplicationPoolUser or NetWork Service, from this, i can say that is must the domain user is missing some access rights, but I don't know what rights.
Aaron Wang  2010-02-25 08:38:05

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?