0

I'm attempting to do a cross-application SSO between three web-sites I maintain. Two of them are running under .NET 4.0 while the other is running under 2.0. The main site is 4.0, while the remaining 4.0 and 2.0 sites are children running under the main. Both web.configs for the 4.0 and 2.0 sites have authentication settings that look like this: 

<machineKey decryption="AES" validation="SHA1" decryptionKey="<decryptkey>" validationKey="<validationkey>"/>
<authentication mode="Forms">
  <forms name=".MyAuthenticationTicket" domain=".MyDomain-Org" loginUrl="/Login.aspx" path="/" enableCrossAppRedirects="true" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>

To be clear: right now the site is running my local box, so the domain above is correct, it is pointing to -Org and not .Org.

Problem is, I can sign in to either site, but the .MyAuthenticationTicket is only being created when I log into the 4.0 site, not the 2.0 site. When I log into that one, no ticket is created. I, however, did discover that when I do log in to it, an ASP.NET_SessionId cookie is created and when I delete that, I am logged out of the 2.0 site. Regardless, I still haven't been able to achieve SSO for my sites.

So... what am I doing wrong here? Anyone have any ideas? Is there a setting I'm missing here?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
EDanaII
  • 197
  • 16
  • Unlike forum sites, we don't use "Thanks", or "Any help appreciated", or signatures on [so]. See "[Should 'Hi', 'thanks,' taglines, and salutations be removed from posts?](http://meta.stackexchange.com/questions/2950/should-hi-thanks-taglines-and-salutations-be-removed-from-posts). – John Saunders Dec 28 '14 at 00:37
  • Session and Authentication have nothing to do with each other. Deleting you session cookie should not log you out of your site, unless you are doing something very wrong in your code. – Erik Funkenbusch Dec 28 '14 at 03:09
  • Well, to be clear, it's "my application" but it's not my code. The application in question is Screwturn wiki and deleting the session cookie does, in fact, log me out. – EDanaII Dec 28 '14 at 12:58
  • @EDanaII - Then I would run screaming from this application, as it's highly insecure to use Session for authentication purposes. – Erik Funkenbusch Dec 28 '14 at 22:52
  • @EDanaII - Upon reviewing the source code for ScrewTurn Wiki, it doesn't use Forms Authentication, but rather uses its own authentication method, although it does store this authentication in a cookie which is defined in the GlobalSettings table of the database. That would be it doesn't create a forms Auth cookie, because it doesn't use forms auth. It also means you can't make them compatible with forms auth. – Erik Funkenbusch Dec 28 '14 at 23:15
  • Hmmm... not sure that's true, Erik. I had it working with my previous version of the site. The difference between this version and that version is that I was using standard ASP NET Membership. And I was using the the
    tag to accomplish it. This version I integrated YAF and am using it's Membership provider. Maybe it's time to take a different route and use the standard provider...
     – EDanaII Dec 29 '14 at 13:18
  • @EDanaII - I looked at the v4, maybe an earlier version used forms auth, but the current version from what I can tell does not. – Erik Funkenbusch Dec 29 '14 at 16:30

1 Answers1

0

If you want your ticket to be compatible across versions, you need to set the compatibility version of the forms authentication ticket in your 4.0 applications.

<forms ... ticketCompatibilityMode="Framework20" .../>
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • Thanks, but that didn't do the trick. I guess what has me concerned is that when I log into the 2.0 application, no authentication ticket is being created there. I'm assuming that with both forms tags set identically, it should. – EDanaII Dec 28 '14 at 13:01