Re: forms authentication across multiple web servers

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/25/05

  • Next message: Marre: "Re: MD5" 
    Date: Fri, 25 Nov 2005 01:25:10 -0800

    Hello Roel,

    you could emulate the cookieless behavior.

    redirect to a page which does the login for you passing the authentication
    ticket as a query string (encrypted, MAC protected of course)

    have a look at the FormsAuthenticationTicket class.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Too Bad ... :(
    > One application would in the end be 2.0 and the other 1.1, but they
    > would be
    > in other domain namespaces.
    > Looks like i have some coding myself to do to make this possible.
    > Do you have any suggestions of passing the credentials in a secure way
    > so
    > that they wouldn't have to login twice ?
    > Thanks.
    >
    > "Dominick Baier [DevelopMentor]"
    > <dbaier@pleasepleasenospamdevelop.com> wrote in message
    > news:4580be6314c9688c7bf35ac68f7f0@news.microsoft.com...
    >
    >> Hello Roel,
    >>
    >> this only works if the servers are in a contiguous domain
    >> namespace...sorry. You are out of luck here.
    >>
    >> ASP.NET 2.0 supports cookieless forms authentication. Your scenario
    >> would work there.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Dominick,
    >>>
    >>> Thanks for your answer.
    >>>
    >>> The domain names differ completely:
    >>>
    >>> Server 1=
    >>> dev.xxx.biz
    >>> Server 2=
    >>> devnet.yyy.be
    >>> I will check the domain attribute.
    >>> should I set domain= .yyy.be in the web.config of server 2 and
    >>> xxx.biz
    >>> in
    >>> the web.config of server 1 ?
    >>> Roel
    >>> "Dominick Baier [DevelopMentor]"
    >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
    >>> news:4580be6314c8ee8c7bf30365b41a8@news.microsoft.com...
    >>>
    >>>> Hello Roel,
    >>>>
    >>>> what are the names of the machines from a client (=IE)
    >>>> perspective...
    >>>>
    >>>> A RFC compliant browser does not send a cookie form
    >>>> serverA.domain.com to serverB.domain.com - you have to adjust the
    >>>> domain attribute in the <forms> configuration to ".domain.com" -
    >>>> this means IE sends the cookie to all servers under the
    >>>> "domain.com" namespace.
    >>>>
    >>>> though i am not sure if this is already there in 1.1 - otherwise
    >>>> issue the cookie manually and set the .Domain property
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi,
    >>>>>
    >>>>> I want to provide a single sign on for 2 web applications hosted
    >>>>> in
    >>>>> different environments.
    >>>>> I set the machinekey to the same value in both web.config files
    >>>>> (also
    >>>>> i set
    >>>>> them to the same value in the machine.config files). The
    >>>>> <authentication
    >>>>> mode="Forms" > section is exactly the same in both applications:
    >>>>> <authentication mode="Forms" >
    >>>>> <forms name=".EuphAc" loginUrl="Main/loginForm.aspx"
    >>>>> protection="All"
    >>>>> timeout="60" />
    >>>>> </authentication>
    >>>>> The only time this works is if I do it on the same physical
    >>>>> machine:
    >>>>> 2
    >>>>> web applications sharing the same machinekey in web.config section
    >>>>> and
    >>>>> <authentication mode="Forms" > section.
    >>>>> If I try the same moving application 2 to another server
    >>>>> (including
    >>>>> the web.config file which stays the same), or to localhost, I can
    >>>>> login on one system but it does not login on the other system.
    >>>>> (Strange thing was it sometimes seemed(!) that it worked but after
    >>>>> 1 second it redirected me back to the login page.)
    >>>>>
    >>>>> I hope I'm somewhat clear.....
    >>>>>
    >>>>> What am I doing wrong ?
    >>>>>
    >>>>> Any help much appreciated!
    >>>>>
    >>>>> Roel
    >>>>>

  • Next message: Marre: "Re: MD5"

    Relevant Pages

    • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
      ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
      (Full-Disclosure)
    • Re: [PHP] Is this the best way?
      ... Why is Jason schreefing again? ... maybe I should edit my authentication function... ... attempting to login. ... really be either attempting an authentication *or* outputting some ...
      (php.general)
    • Authentication Sharing Across Apps
      ... For my part "B" question that I had (Login App was not returning ... authentication to calling app), I found the solution. ... Basically, in both the Login App and Calling App Web.Config, I did ... authenticated connection with SQL server. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: [PHP] Is this the best way?
      ... Jason Pruim schreef: ... I am attempting to add a little error checking for a very simple login system. ... So maybe I should edit my authentication function... ... really be either attempting an authentication *or* outputting some message ...
      (php.general)
    • Unable to get IP Address from DHCP server - 802.1x authentication
      ... user based VLAN authentication with Windows client as ... Authentication method: MD5-Challenge ... Login locally with the cached profile of user1 ... After entering the Radius server username & password the ...
      (microsoft.public.win2000.security)