I have several web applications running on an Windows Server 2003 with IIS 6.0.
The applications are running under Asp.net 2.0.
Recently I have installed a MVC 3 Web application which is in it’s nature asp.net 4 based. The forms ticket is not recocnized in this new application.
I have the same machineKey settings in the machine.config files of the different asp.net versions that have been created using this link: http://aspnetresources.com/tools/machineKey
The configuration in the login web application is like this:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
And accordingly the configuration of the mvc app is:
<authentication mode="Forms">
<forms name=".WEBAUTH"
loginUrl="http://path2theloginapp/login.aspx"
protection="None"
slidingExpiration="true"
enableCrossAppRedirects="false"
timeout="43200"
path="/" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
The login works, but the mvc application always redirects back to the login page.
Now if i change the asp.net Version of the login web application in IIS configuration to asp.net 4.0, it works. But then all the other applications running on asp.net 2 no more works.
Has anybody solved formsbased authentication in a similar situation?
I had to go the long way and opened a support case with Microsoft.
As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.
This updates fixed forms-based authentication without reconfiguration of the involved web applications.