Forms Authentication Across Multiple Servers

jonquil_31 · March 11th, 2004, 12:32 PM

Hi Imar.. Thank you so much for the detailed writeup... It sure makes things so much clearer to me now! Appreciate all the help you've rendered me so far.. Thanks!

Sad to say, a web farm implementation isn't something I can look into at this point. Am hoping I can find a simpler solution to do across server authentication, a couple of applications, but with single sign-on. Is there any simpler way to implement that? Using cookies or otherwise? Would appreciate any help anyone can render me at this time... Thanks in advance!

Imar · March 11th, 2004, 12:45 PM

Well, you could cheat a little and submit some data from Server 1 to Server 2. Here's the general idea:

1. Server1 constructs a special message, for example the concatenation of the username and its unique ID (just examples)
2. You'll need to encrypt this info, as it contains security information. The FormsAuthentication class exposes some useful methods for this.
3. This information is stored as a hidden variable on a page, for example PrepareSwitchToServer2.aspx
4. That page submits itself to Server2\Login.aspx. On Login.aspx, you can extract the information from the form, decrypt it, and then check whether it has been tampered with. If it looks good, you can use that data to perform a programmatic Login for Server 2. That is, do what you normally would do to authenticate the user but don't get the details from an ASP.NET form, but from the hidden form field sent to the Logon page.

At this point, your users will be authenticated for Server 2 as well so now they can switch between applications as much as they want.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

jonquil_31 · March 12th, 2004, 12:21 AM

Have considered this implementation before... But just a tat worried about having to handle more security issues. Anyway, you've given me a GREAT walkthrough for the implementation! You're sure a life saver! :D

Greatly appreciate all the help you have rendered so far... Thanks a million!!!!!

planoie · March 12th, 2004, 11:16 AM

I wrote a long response to this post two days ago, but somehow it never got posted. Hopefully I can remember most of it.

In order to get cookies to work across servers, those servers need to be part of the same base domain. Cookies that are written to belong to some base domain (mydomain.com) will be seen by any machine that is accessible via a sub domain name: "serverA.mydomain.com" and "serverB.mydomain.com". When you create a cookie, you can specify it's domain to be "mydomain.com". (By default, the cookie will assume the full base URL as its domain.)

Now, the issue of creating those sub domain URLs:
If you are working in a LAN that has an Active Directory Services (ADS) domain controller, then you will most likely have a local zone established. Something like "mycompany.com" or similar. The nice thing about the default configuration of an ADS domain is that all machines get added to the local domain's DNS. So if your machine is named "FRED", then ADS will create an entry in the local DNS called "fred.mycompany.com". This will go for your servers as well. The simple test is to just trying pinging "serverA.mycompany.com". Ask your network admin what the ADS domain name is if you don't know (or can't guess) what it is.

If the above is not the case, then you might need to have the system admin create a local DNS entry for the two servers you need to go between. This can be just internal names unless you need people to access these boxes from outside as well.

At my office, we are doing exactly what you are trying to do. I built a content management system that does the primary authentication, and writes a cookie for the base domain. We have several other content management systems that we then linked up to it to use the same authorization by just looking at the right cookie. All the URLs are purely internal and are based on a non-public domain that's visible only from the LANs in three different physical places and anyone dialed into the VPN.

Peter
------------------------------------------------------
Work smarter, not harder.

Imar · March 12th, 2004, 12:34 PM

Ha, yes. A very nice solution.

I never realised that the cookie could be read between two machines belonging to the same domain.
For this to work, though, it's important that you set the Domain for the cookie as well (as Peter pointed me out off-list):

Code:

Response.Cookies["YourCookie"].Value = "A Value";
Response.Cookies["YourCookie"].Path = "/";
Response.Cookies["YourCookie"].Domain = "YourDomain";

With this code, Fred (whoever that is) can read the cookie from ServerA.

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

caveman_dick · August 24th, 2004, 09:25 AM

Hi Looking for a saint!!!:D

I have been trying to do this domain based authentication for about 4 days now and i'm getting VERY frustrated :(. According to the tutorial http://www.codeproject.com/aspnet/as...nglesignon.asp It looks really easy and I have followed the steps exactly but it just will not work for me!!

Going through the steps I have set the domain in the cookie as par the rules, set the machine key on both web.configs to be the same, and setup the form names to be the same in the authentication part of the web.config.

Also the apps are actually on the same machine. Its just that there will be several different apps with their own authentication but I just need a "Portal" site so they can log in and choose the site they wish to goto without having to relogin.

If anyone has any suggestions as to why it doesn't work for me or has a sample project that i could take a peek at I would be eternally greatful!!!

Thanks in advance!!