Using the machine key element appears to be obsolete now, according to this article: http://msdn.microsoft.com/en-us/library/ff649308.aspx
I am trying to get mixed authentication to work on IIS7, where people that don't have credentials won't be presented with a login screen when using Windows Integrated Authentication, but will be presented with a form that I wrote, instead, but, if you have credentials then you don't see the form.
So, I am following steps in this article: http://aspalliance.com/553_Mixed_Mode_Authentication.all
But one part is this comment, which leads to hardcoding an encryption key in <MachineKey>
, in machine.config.
As you can see, we encrypt this ticket using the forms authentication standard routines. For this to work across applications, modifications must be made to the machine.config file to ensure encryption keys are not auto-generated for each application.
But, as I am writing this, now I am not certain I need to do this change, as both of my virtual applications will be in the same web site, but, if I need to ensure that the encryption key is not being auto-generated for each application, is there a better way to do that, that isn't obsolete?
I am using IIS7 on Windows Server 2008 SP2 (not R2), with .NET 4.0.