Using one Asp.net Membership database with multiple applications Single Sign On
Asked Answered
H

2

20

I have two asp.net applications on one IIS server and I would like to use the same back end asp_security database and membership provider. I've read that all I have to do is reference the same application name in both web configs as I'm doing now, but I must be doing something wrong

In each applications web.config I have this section.

<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresQuestionAndAnswer="false"
              applicationName="/"
              requiresUniqueEmail="false"
              minRequiredPasswordLength="5"
              minRequiredNonalphanumericCharacters="0"
              passwordFormat="Hashed"
              maxInvalidPasswordAttempts="5"
              passwordAttemptWindow="10"
              passwordStrengthRegularExpression=""
              />
  </providers>
</membership>

When I log in from application A and browse to application B application B doesn't seem to know anything about me or my credentials from application A. Anyone have any ideas what I'm doing incorrectly?

Harder answered 16/2, 2010 at 17:0 Comment(0)
H
21

Just for closure sake I will answer how I did achieved the goal of what my original question meant to ask for.

I had two asp.net applications on one IIS server. It was my goal to make it so when user logged onto app1 their user credentials would be available in app2. Configuring the asp.net membership provider is only one step of what I was looking for. Even if both apps were using the same back end database and provider I still wouldn't be authenticated when I hit app2. What I was looking for was a Single Sign On solution.

Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config

<authentication mode="Forms" />
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              applicationName="/"
              />
  </providers>
</membership>
<roleManager enabled="true" />

make sure both have the same applicationname property set.

I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config

    <machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />

That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.

Thanks for the push in the right direction.

Harder answered 16/2, 2010 at 21:31 Comment(1)
Thank you so much! Your problem was exactly the same as mine. Most of the SSO solutions were quite complex to get going and never quite worked for me, thanks again!Stome
S
2

If my understanding serves me correctly, the users authentication credentails are stored within the HTTP context of each application. So switching between the two applications will not automatically authenticate the user, since a new context will be created when you switch to app B.

What I believe may the correct approach would be to use the DefaultCredentials (or UseDefaultCredentials property to True) of the current user prior to switching to app B.

When you say switch what do you mean eg. open a different browser window and access app B or request a page from appB from appA?

Sabbatarian answered 16/2, 2010 at 17:51 Comment(3)
I think you might be right as I can see my database now but don't have a logged in user when I browse to appB. Which API are you referring to when you are talking about the DefaultCredentials? ...and If I am going to "switch" between applications by site map, do you see a way around of setting this on every page upon exiting? Thanks for yout timeHarder
The UseDefaultCredentials Property in System.Net (msdn.microsoft.com/en-us/library/…). On the second point, i believe that you need set the machine key in both apps web.config files. See this MSDN article for more info msdn.microsoft.com/en-us/library/eb0zx8fc.aspxSabbatarian
you are mistaken. Asp.net forms authentication is tracked in an encrypted ticket. this ticket can be stored in a cookie or in the url. the OP just needs, as he now knows, to ensure that application names are same and that each app shares a common machine key.Sainfoin

© 2022 - 2024 — McMap. All rights reserved.