tags:

views:

430

answers:

4
+1  Q: 

Single Sign On with Forms Authentication

I am trying to set up Single sign on for 2 websites that reside on the same domain

e.g.

http://mydomain (top level site that contains a forms-auth login page)

http://mydomain/admin (seperately developed website residing in a Virtual Application within the parent website)

Have read a few articles on Single Sign on e.g.

http://www.codeproject.com/KB/aspnet/SingleSignon.aspx

http://msdn.microsoft.com/en-us/library/dd577079.aspx

And they seem to suggest it is just a case of having the same machinekey section in each web.config so that the cookie encryption and decryption is the same for each application

I have set this up and I never get prompted for credentials in the sub-website (the virtual application)

I always get prompted in the parent site.

In addition to having the same machinekey I've also tried adding the same <authentication> and <authorisation> elements

Any idea what I could be missing?

A: 

Try configuring the httpCookies section in the web.config of both applications to use the same domain. That way when you log-in to one app the FormsAuthentication cookie you get will be visible to the other application.

Craig  2010-03-16 10:54:44
thanks for the suggestion - unfortunately that hasnt made any difference
Christo Fur  2010-03-16 11:02:49
A: 

Your forms section of web.config needs to be the same as well.

Quote from - Forms Authentication Across Applications

To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.

The following example shows the Authentication section of a Web.config file. Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications. Similarly, the encryption and validation key values and the encryption scheme and validation scheme used for authentication tickets (cookie data) must be the same. If the settings do not match, authentication tickets cannot be shared.

Morten Anderson  2010-03-16 11:14:22
thanks - as I said earlier, I have tried with the same authentication and authorisation sectionsOPne interseting thing I have noticed is that when I use a fully qualified path for the loginURL e.g. "http://mydomain/login.aspx" I get prompted for Windows Credentials (not the forms login page I would expect)
Christo Fur  2010-03-16 11:27:31
Just want to make sure i get this right. If you log into Mydomain you should be authenticated for Mydomain/admin and this works fine.And you want it to work the other way round as well? i.e. when you log into admin your authenticated for Mydomain?Have you taken a look at your authentication code in MyDomain? Does it somehow differ from /admin?
Morten Anderson  2010-03-16 13:01:12
No. When I visit mydomain, which contains the login page, I would like to be authenticated for mydomain and also mydomain/admin. When I visit http://mydomain, I get redirected to the login page - which is what I want to happen.When I visit http://mydomain/admin, I don't get redirected - I have full access to the /admin site. i.e. it's not picking up the authentication from the parent
Christo Fur  2010-03-16 15:05:32
A: 

You need to have the same authentication elements in the web.config. In the contained forms element, make sure you give each application the same value for the name attribute. For the loginUrl attribute, I use a relative path and use the same logon page for all of the applications (e.g. loginUrl="/MainApp/login.aspx").

Also, are you creating the authentication ticket manually?

Jeff Siver  2010-03-16 15:00:38
yes, have tried with a local path (login.aspx) in the parent, and a full path (mydomain/login.aspx) in /admin, but I never get redirected to the login page on /admin. If I put a full path in both then I get promted with a windows login prompt (not forms page login). have tried all security setting in IIS but can't get redirected to the login page on the child site
Christo Fur  2010-03-16 15:34:12
Are you trying to display the logon page even when the user has already logged on to the non-admin site? Also, are you putting the restrict users section in the authorization element?
Jeff Siver  2010-03-17 14:57:46
A: 

I had used <clear/> on the httpModules section, as there were items in the parent that did not exist in the bin dir for the child (/admin)

In doing so (using <clear/> that is ) I had inadvertently cleared the FormsAuthentication module specified in the web.config in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG

so i needed to re-add those explicitly to the child (/admin) config

Christo Fur  2010-03-16 16:05:51

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps