Forms Authentication Across Multiple Servers

jonquil_31 · March 10th, 2004, 07:19 AM

Hi. I would greatly appreciate it if anyone can suggest solutions to my current problem. I am really lost as to what's wrong right now...

I have a authentication system on one server (Server A) using forms authentication and after creating the auth cookie, the users can access applications residing on other servers (Server B). However, when I direct the users to applications on Server B, the authentication fails and the user is always directed back to Server A again. I have created the same machine in both the web.config file and would really like to know what could be wrong with my implementation. Please advise. Thanks!

Web.Config in Server A's Authentication System
<authentication mode="Forms">
    <forms name="MDLPortal.Web"
        loginUrl="Security/Login.aspx"
        timeout="30"
        path="/"
        protection="All">
    </forms>
</authentication>
<authorization>
    <deny users="?" />
</authorization>
<machineKey
validationKey='C3E13A064A6F1A32C0488463C500D7CFF10 D3A85BCFC8BB0BD00F5E3CB960C04E1600D576E95E5F3FE5B1 DD5530BDF79D1B608765C2B296AC546A9E7446B247E'
decryptionKey='195964242BFBCD75F9EC90995D0C70C593B 9DA220C110983'
validation='SHA1'/>

Web.config in Server B's applications
<authentication mode="Forms">
    <forms name="MDLPortal.Web"
        loginUrl="http://rospc/MDLPortal/Security/Login.aspx"
        timeout="30"
        path="/"
        protection="All">
    </forms>
</authentication>
<authorization>
        <deny users="?" />
</authorization>
<machineKey validationKey='C3E13A064A6F1A32C0488463C500D7CFF10 D3A85BCFC8BB0BD00F5E3CB960C04E1600D576E95E5F3FE5B1 DD5530BDF79D1B608765C2B296AC546A9E7446B247E'
decryptionKey='195964242BFBCD75F9EC90995D0C70C593B 9DA220C110983'
validation='SHA1'/>

stu9820 · March 10th, 2004, 09:29 AM

Make sure this info is in the Root web.config file. You can also place the <machineKey section in the machine.config file.

Imar · March 10th, 2004, 09:38 AM

I wonder if this will ever work. The Authentication is handled by a cookie, and AFAIK, cookies are only sent back by the browser for the current domain. So, a cookie called MyCookie for a server called http://MyServer1 will not be sent to http://Server2, even if that server also uses a cookie called MyCookie. So when you hit Server2, it checks for the cookie, finds none and redirects you to Login.aspx on Server1. I am not 100% sure, but I think this is the way it works.

This is a security mechanism; otherwise it would be too easy to read out your Yahoo, Passport or on-line banking cookies.

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

stu9820 · March 10th, 2004, 10:50 AM

It's supposed to pass the validationKey and decryptionKey from server1 to server2. The default options for validationKey and decryptionKey are autogenerate but then they wouldn't match so you have to specify one 40 to 128 characters. with 128 being recommended.

Imar · March 10th, 2004, 10:58 AM

I could be wrong, but aren't these settings used in a Web farm scenario where the reversed of the current situation is taking place? That is, multiple servers are acting as one single site? So, each machine in the farm says "Hi, I am Server 1; hand me your Auth Cookie".

The browser, thinking it's talking to the same Server1 all the time, is more than happy to provide the cookie. Since all encryption keys are the same on all servers, each separate server in the farm can successfully reauthenticate the client.

However, in the current scenario it goes like this: "Hi, I am Server 1; hand me your Auth Cookie". The cookie that is passed is actually Server1\AuthCookie.
The user then arrives at Server 2 which says: "Hi, I am Server 2; hand me your Auth Cookie".
The browser will try to feed it Server2\AuthCookie. This cookie will not exist, reauthentication fails and the user is redirected to the Login page.

Right?

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

stu9820 · March 10th, 2004, 11:23 AM

That may be his problem.

Imar · March 10th, 2004, 11:30 AM

Yeah, it sure ain't mine.... ;)

Just kidding,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

jonquil_31 · March 10th, 2004, 10:05 PM

First of all, thanks for all your replies... I have yet to find a solution to my problem but I think I get what you are saying Imar, about how my situation seems to be the reverse of what's actually taking place in a web farm scenario. I'll continue to do more research and testing and do continue to send your replies in. Two heads are better than one... Thanks a lot guys!

Btw... Quoting stu9820: "That may be his problem." --> Yup, that's my problem... Except that I'm not a 'his'... More like a 'her'... Thanks for everything anyway!

jonquil_31 · March 10th, 2004, 10:38 PM

With reference to the web farm scenario, does it mean that if my sites share the same virtual directory name, depsite on two different servers, that it should work? Or must I set up all the web farm implementation, like using stateserver session modes and stuff, in order to make it work? Would appreciate it if anyone can give me any advice on this issue... Thanks!

Imar · March 11th, 2004, 03:58 AM

I don't think that the Virtual Dir part is important; it's the first part (domain name / machine name) that determines what cookies are sent by the browser.

A Web farm usually consists of 2 or more computers, orchestrated by some form of load balancing. Consider a simple scenario:

1. You go to www.microsoft.com\default.asp
2. You arrive at a load balancing machine
3. This machine determines you are redirected to the machine WebServer1 (invisibly; your browser thinks it gets its content from www.microsoft.com
4. You request another page, for example www.microsoft.com\NewApp\default.asp
5. The load balancer can send you to WebServer2, or WebServer3 or wherever it wants for your new request.

All these machines will be able to read the same cookies, meant for microsoft.com (that is, if their path has been set to /) Even if the actual Web site is served up by multiple machines, all that the browser knows is that it is dealing with www.microsoft.com. So, even if you visit \NewApp\, all microsoft.com cookies are visible.

However, should you decide to visit www.msn.com, another Microsoft site, that site won't be able to read the Microsoft cookies.

So, what's important is the first part (domain name + tld, or machine name) that determines the scope of the cookie.

In your scenario, if you want to have two applications share the same login credentials, this will work (At least, I think it will work, with the solution you posted earlier):

http://MyMachine1\MyApp1
http://MyMachine1\MyApp2

For both applications, the browser will see that the request for the cookie comes from MyMachine1, so it happily passes them up (again, provided that the cookies has been set to /)

However, this won't work:

http://MyMachine1\MyApp1
http://MyMachine2\MyApp1

Your browser will see that MyMachine1 is different from MyMachine2, just as www.microsoft.com is different from www.msn.com, and it won't pass up the cookies that has been set by MyMachine1, even if both applications share the same application name (MyApp1).

So, in order for this to work, I think you'll need to have your two applications listen to the same address; starting with http://MyMachine1, for example.

Whether, under the hood, these two application consist of 1, 2 ot 10,000 different Web servers is entirely up to you. What's important is that the browser thinks it's dealing with only one machine.

Does this clarify things?

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.