I’ve scoured the web for an answer to this and while I’ve found similar issues like this one, I’ve yet to find a specific answer.

I’ve got an MVC web site using Forms Authentication to provide login support (this is basically out-of-the-box login support in MVC).

In the same domain, I’ve got a WCF REST service with a single method.

What I’m trying to do is see if I can leverage Forms Authentication from within the service to see if the requester has already ‘signed in’ via the MVC application. Following some other posts I found, I’ve made sure that the web.config files (w.r.t. Forms Authentication) are the same (same machine key, etc.).

Here’s the problem: I can sign in via the MVC site (and thus, get my authentication ticket via cookie). When I make a GET request to my service (remember, on same domain as MVC) I can see that the “.ASPXAUTH” cookie is getting sent with the request.

But, I get a “400 Bad Request” response each time. Further, the body of the response is indicating
“The server encountered an error processing the request…”

Additional observations:

• If I remove the .ASPXAUTH cookie from the request (using Fiddler or curl for instance), the request goes through without issue
• I can use Fiddler or curl to to send a request to a secured page in the MVC app and include the same .ASPXAUTH cookie and this works as expected (a 200 response with expected content in response body).
• (the strange one) I can set a break point in my Service application within the Application_AcquireRequestState method in global.asax.cs and hit it when I send the request.
  • I can then examine HttpContext.Current.User.Identity and see that IsAuthenticated is true and Name is showing my expected username (from the initial login via MVC app)
• A break point in the very first executable line of code within my service method is never hit.

Of course, when I remove the .ASPXAUTH cookie, both break points in my service are hit (and, naturally, the Identity is not authenticated in this case.

So, it would seem to me that:

1. Forms Authentication is working as I’d hoped it work within my service. I can detect that the request is authenticated and them move on that information.
2. I crash and burn somewhere in the ASP.NET pipeline after Forms Authentication does its thing but before my service method gets called.

I’ve had no luck finding any references to a similar problem out there and would appreciate another set of eyes (or several thousand sets of eyes) to point out what I hope is a very silly and obvious answer.

(If there is a specific area of code anyone would like to see, I can add as requested. I didn’t want to further burden an already overly-worded post with tons of random code samples)