Using one Asp.net Membership database with multiple applications Single Sign On

Question

Hi there.

I have two asp.net applications on one IIS server and I would like to use the same back end asp_security database and membership provider. I've read that all I have to do is reference the same application name in both web configs as I'm doing now, but I must be doing something wrong

In each applications web.config I have this section.

<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresQuestionAndAnswer="false"
              applicationName="/"
              requiresUniqueEmail="false"
              minRequiredPasswordLength="5"
              minRequiredNonalphanumericCharacters="0"
              passwordFormat="Hashed"
              maxInvalidPasswordAttempts="5"
              passwordAttemptWindow="10"
              passwordStrengthRegularExpression=""
              />
  </providers>
</membership>

When I log in from application A and browse to application B application B doesn't seem to know anything about me or my credentials from application A. Anyone have any ideas what I'm doing incorrectly?

Answer 1

If my understanding serves me correctly, the users authentication credentails are stored within the HTTP context of each application. So switching between the two applications will not automatically authenticate the user, since a new context will be created when you switch to app B.

What I believe may the correct approach would be to use the DefaultCredentials (or UseDefaultCredentials property to True) of the current user prior to switching to app B.

When you say switch what do you mean eg. open a different browser window and access app B or request a page from appB from appA?

Answer 2

Just for closure sake I will answer how I did achieved the goal of what my original question meant to ask for.

I had two asp.net applications on one IIS server. It was my goal to make it so when user logged onto app1 their user credentials would be available in app2. Configuring the asp.net membership provider is only one step of what I was looking for. Even if both apps were using the same back end database and provider I still wouldn't be authenticated when I hit app2. What I was looking for was a Single Sign On solution.

Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config

<authentication mode="Forms" />
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              applicationName="/"
              />
  </providers>
</membership>
<roleManager enabled="true" />

make sure both have the same applicationname property set.

I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config

    <machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />

That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.

Thanks for the push in the right direction.