i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all
Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications
This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>
Related
In our project we provide users with tumblr like subdomains as well as custom domain names like "mydomain.com". So I have one and the same server and one application but different domain names.
Everything works fine with dns and routing but I've faced authentication problem. Shared authentication for main domain and subdomains can be solved by just specifying machine key and domain name in web config.
<authentication mode="Forms">
<forms domain="xxx.com" loginUrl="~/account/logon" timeout="2880" />
</authentication>
But in this case I have "Sign Out" problem, so Signing Out just don't work even after I added these lines of code (all the solutions of this problem I found):
formsAuthentication.SingOut();
Session.Abandon();
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
After all I still don't know how to implement cross domain authentication for custom domain names. Is it possible somehome to share authentication data for particular server between any domains? Or maybe I can retrieve this information on server side if I know domain name and machine key?
a workaround is to set the user information in the localstorage the client set from the "main domain" then set a cookie created by subdomain, but for all your sing-in/out operations you will have to use the "main domain" you can search for how stakoverflow and all the siblings sites works because they are using SSO so solve that, anyway maybe this post helps you.
EDIT
for more information how SO solve the auto login issue
I have the following structure for my web application:
In my root web config, not in the Areas/Admin/Web.Config I have the following:
<location path="Areas/Admin">
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have my own authentication working on the main root of the web site no problems by using the [Authorize] tag.
Now for the Areas/Admin I'd like to use Windows Authentication.
In IIS (Server 2008 R2 Machine), I have the Admin folder configured as an application:
And when I click on Areas/Admin in IIS, under Authentication, I have Anonymous disabled, and Windows Authentication Enabled.
However, when I attempt to access this folder via the web site, it does not prompt me for my domain username/password. It just loads up the page.
If I go to www.website.com/Areas/Admin, it then prompts me for the username/password. But I need it to use the AreaRegistration, and have it prompt when I go to www.website.com/Admin.
I've been able to configure an entire site as Windows Authentication, and that works like a charm.
Any thought to lead me in the right direction? Or, if you need more information, please leave me a comment and I will be more than happy to give you what I can.
From doing research, I found that the only way to make this work, is to create a 2nd "admin" site which runs as an application under the main site. Doing so, allowed me to setup permissions on that site.
I am having a problem with getting windows authentication to work on IIS 7.5.
The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.
If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.
I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".
It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.
I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.
I have tried all of the solutions in the links below and none of them have fixed the problem
http://forums.iis.net/t/1177154.aspx
http://forums.iis.net/t/1178188.aspx
Receiving login prompt using integrated windows authentication
http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html
http://forums.asp.net/t/1639511.aspx/1
https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is
http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory
IIS 7 and Windows Authentication
Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:
Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames
Add the host names you wish to use. Example, "mysite.com".
Restart the IIS.
Source link
The value should be the website name in your windows hosts file.
Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.
<location path="mysite.com/data">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.
default settings where
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
</providers>
</windowsAuthentication>
Changed to this and it worked.
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.
I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.
i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS.
The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS.
in IIS6, Integrated Windows Authentication only uses NTLM by default.
in IIS7, IWS uses kerberos before NTLM by default.
Replacing the CNAME record with an A record solves the problem.
Kerberos has no problems with A records in DNS, but it has problems with aliases.
So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.
chris
If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?
<html>
<body>
hello world!
</body>
</html>
I have a similar problem.
I had an application under Default Web Site that already had Windows authentication enabled but didnĀ“t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.
I have a solution that has two applications. Is it possible to make the user sign in only once?
For example, in the main application I do authentication like this:
FormsAuthentication.SetAuthCookie(ContactFound.ContaLogin, model.RememberMe);
And I put this code in the web.config file:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogIn"
defaultUrl="~/Account/LogOn"
timeout="15"
/>
</authentication>
What should I add, so that, when the user is logged in, in the main application we don't ask him to log in again when he connect to the second application?
Since you are going to host both applications at the same address, it should be easily possible by setting the <machineKey> (web.config) to the same value for both applications. After that, you should automatically be logged in to one application after logging in to the other.
Further reading:
Single Sign On (SSO) for cross-domain ASP.NET applications (see How authentication works in multiple ASP.NET sites under the same domain)
machineKey Element (ASP.NET Settings Schema)
Single Sign On with Forms Authentication
has anyone implemented signgle sign on in MVC? Can anyone give me any example for single sign on in MVC.
I've implemented a SSO solution between multiple ASP.NET MVC applications hosted on the same parent domain (app1.domain.com, app2.domain.com, ...) by using Forms Authentication and setting the domain property of the cookie in web.config of all applications:
<forms
name="ssoauth"
loginUrl="/login"
protection="All"
timeout="120"
requireSSL="true"
slidingExpiration="false">
domain="domain.com"
/>
When you set the domain property of the cookie, this cookie will automatically be sent by the client browser to all applications hosted on this domain and will be able to authenticated the user automatically.
If you want to implement a cross domain SSO using Forms Authentication here's what you could do:
The user navigates to foo.com and signs in. The application hosted on foo.com uses standard Forms Authentication, nothing fancy.
The user decides to go to bar.com and clicks on a link that you created. This link could contain a token parameter which will contain the encrypted username. This encryption could be done using the machine keys and look something like this: https://bar.com?token=ABC.
The application hosted on bar.com receives the request and because it uses the same machine keys as the other application it is capable of decrypting the token and fetching the username. Then it simply signs in the user by emitting an authentication cookie locally and the user is automatically signed in bar.com.
Below is an example for SSO for websites sharing same domain
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
Please see my answer here. Basically you need to set Authentication mode to windows on web.config and use HttpContext class to retrieve user identity which takes data from Active directory
https://stackoverflow.com/a/40938106/950944