Security :: Single Authentication For Multiple Applications?
Nov 10, 2010
I have three asp.net web applications
,Second and Third applications are accessed throught the first,So Authentication (form authentication) is happening from the first application only , all are deployed on same IIS with seperate virtual directory
Like
1.Localhost/EmpMananger
1. Localhost/Hr
2.Localhost/Payroll
, I used the same Entires in both <machineKey> and
<forms> Elements in webconfig file of all applications,
Applications are working fine and Page.User.Identity are available in all applications but once loginUrl and defaultUrl entry is changed to actual name other than localhost
Eg: localhost/EmpManager/default.aspx To myserver/EmpManger/default.aspx
the authentication ticket is not available in second and third applicaiton
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
[URL]
[URL]
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
We are upgrading the asp.net 2.0 web application to asp.net 4.0. The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain. the URL like,mydomain.com/login.aspxmydomain.com/franchise/login.aspxmydomain.com/admin/login.aspx In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time. After the up gradation process (ASP.NET 2.0 to 4.0),We didn't run all three applications in same times and also form authentication crossed.
We are having a project which is for various online application systems for an educational institute. (Asp.Net 2.0 Web Site)
initially we developed all applications in single project with proper folder structure. but now we want to make each application as separate product.
all applications share single authentication(Obviusly this is single project) want to keep that way only.
I want to split project in smaller projects but want to keep shared authentication so how should i orgnise this project in IDE.
Also i need guidence on hosting such project
i should make small projects within single solution file. and at the time of publish amke single virtual directory to host the root project(login.aspx etc) and in subdirectories i should host other projects. so this way SSO(single sign on) across applications is possible ..
I already have 2 web applications running. both of them are using membership and accessing the same database but their application names are different. so basically in my aspnet_Users table, i have users with different applicationIDs and in my aspnet_Applications table I have 2 records in there. so i have 2 separate login locations
..app1login.aspx ..app2login.aspx
What my the business wants is to only have a single point of entry. so they want something like this
..applogin.aspx
and by verifying the username and password pair, my code should be able to route to the appropriate app and bypass its login form. (don't be concerned about the duplicate username between applications, it's been taken cared of)
so I'd like to solicit suggestions from you how should I implement this without modifying my existing setup? and where should I place this login web form in my website? this is the current site structure:
I have a bunch of applications that currently share the authentication cookie in v3.5.
We're in the process of upgrading to 4.0 and also upgrading the applications as a whole. I have 1 done, and would love to deploy it. However, as soon as I do, I lose my sharing of authentication cookie in that application.
In each web.config, my machine key is declared. I removed the actual keys to protect the innocent. :)
<machineKey validationKey="..." decryptionKey="..." validation="SHA1"/> <authentication mode="Forms"> <!-- DEV Server --> <forms enableCrossAppRedirects="true" loginUrl="Logon.aspx" name=".COOKIENAMEHERE" protection="All" path="/" slidingExpiration="true" timeout="1440"/> </authentication>
I have a case where i have two asp.net applications, one is hosted on example.com/App1 and the other on /App2.
both applications are password protected using Windows authentication.
App1/default.aspx has a <img src="/App2/somefile.aspx">
Now what happens when i open App1 is that i get the credentials prompt, but because App2 is also protected, the HTTP GET for the img requires me to authenticate, in other words i get two prompts.
Is it possible to do something so that the authentication is for example.com so that both App1 and App2 consider the user authenticated?
I have a .net 1.1 ASP application (domain.com) which has a .net 2 virtual directory (domain.com/v2) beneath it, both applications run within their own app pool on the same Windows Server 2003 machine running IIS 6. The web.config files for both apps are setup for Forms Authentication as described here - [URL]
Users would be directed to the domain.com/v2/login.aspx page which would authenticate for both applications, this configuration has been working fine for the last few years until installing one of the recent Windows 2003 security updates today. Now after authenticating under /v2 users keep getting redirected back to domain.com/v2/Login.aspx as domain.com doesnt see them as authenticated anymore.
which security update would have caused this and if its possible to fix or rollback?
We are upgrading the asp.net 2.0 web application to asp.net 4.0.
The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain.
In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time.
After the up gradation process (ASP.NET 2.0 to 4.0),
We didn't run all three applications in same times and also form authentication crossed.
I have this tutorial on Single Sign On with forms authentication.The following link:
[URL]
I did item number 1 which is "SSO for parent and child application in the virtual sub-directory" and it works fine BUT I can't seem to stay logged in because each time I leave and reenter the application I get redirected to the login page.
Is this an inherent feature of forms authentication?
What happened to authorized cookie generated by forms authentication?
While waiting for responses, I will look for answers.
We have intranet based web application in ASP.Net, needs to be configure for single sign on authentication at client place.
Our client has existing intranet based web site in classic ASP. After successful login to this site in asp, employee will have a link to access our web portal without entering any credentials again. Please note that both sites are having differnet virtual directories or different domains.
Is there any way to achieve this sinlge sign on authentication than LDAP or Cokie based authentication.
Does Microsoft 3.5 provides some enterprise service to acheive the same?
I am using ASP.NET Membership with the default provider. I have a project where there are 3 different applications(seperated by the applicationName). Now I need every user to be able to log in to all the applications, but have a seperate role in each.Is this possible(I dont want to duplicate user details or logins for the same person)?
i am managing three applications .. i hve separate pages in each of these applications for creating users and roles..
can i create a single page where in i can choose for which applications i want to create users..
i am storing the users of each of thse 3 applications in a same database and i hve separate application name for each application in membership provider
I'm not entirely sure if this is the right place to ask, but here goes.
I have a website that uses windows integrated authentication. This is great and the way i want it, BUT, i now have a single .aspx file in that site, that i would like anonymous access to.
I am running this on IIS 6 on a windows server 2003.
How do i go about doing this, if i even can do it? web.config, IIS console or do i need to make a new site for this one file alone?
I have a web application that requires two separate authentication and authorization.
In the root webconfig i configure the security for authenticating and authorizing public users
I also need authentication and authorization for the back end. That is the administrator who will manage the web application.
For this i have a subdirectory "admin" that will contain all the functionality for the back end. In the "admin" subdirectory i have a second web.config and i tried to add all the security for the administrator but it does not let me
Is it possible to have to separate authorization and authentication for a single web application. All the details will be save in microsoft's sql tables generate (for example aspnet... tables)
I've had no problems implementing CAS however I have hit an issue with its timeout. It appears my Uni has the timeout set to about 15 minutes. Some forms (specifically ones for our HR department) take a lot longer than 15 minutes to fill out. The result being that when they click the Save/Submit/whatever button, CAS refreshes its login, sends them back to the same page, and resets the page to default (since it's essentially reaccessing it).
Is there any easy way to force my SSO to refresh at set intervals? I tried to use another page (embedded in an iframe that I added to all .Master pages) whose page load contained:
I currently have a website up and running and working correctly with godaddy.com using the out-of-the box authentication with an aspnetdb sqlserver database. I have users on this site and am very hesitant to change anything with this database or the web.config file from the working site for fear of wrecking it
So, my challenge is that I need to authenticate a separate application using the same aspnetdb.mdf file without any crossover to my 1st application. I've noticed that the ApplicationName that is currently in my aspnetdb database for the working application is just "/". I know that I'll need to have 2 separate entries in the aspnet_Applications table to define these two applications and then somehow register those names within their respective web.config files - but wanted to have step by step instructions on how to this so as to not "break" the 1st working application that is already live.
Can anyone point me to a document on what changes I will need to make?
Also, with the default create user wizards I'm using, how will it know to create the new user information with the correct application ID so that the user information from one application is not visible to managers of the second application and vice/versa?
I have more of the same applications.All tables are identical.Each application has a new user.These different applications are located in different domains such as.: domena1.com, domena2.com, domena3.com.Each domain has different users.
For each domain in the web.config change the "ApplicationName", eg.: ApplicationName = domain1, ApplicationName = DOMAIN2, ApplicationName = domain3 ...
i want to have several domains A, B, C where a user can enter his username and password to login to a common main domain D.
So the user goes to A, B or C, enters his username and password, clicks the "login" button, and is then on the main domain D in a logged in/authenticated state. Then the user does the things he wants to do, and then clicks the logout-button and is then returned to the original domain that he came from, be it A, B or C.
What is the best way to do this?
I currently use forms authentication in ASP.NET 4.0 (C#).
We migrated our web server to window server 2008, IIS 7.
We have single sign on application - that we login through one application called "users" and then no need to login to other applications, they all use the same machine key and cookie.
it works fine when all then applications under the same application pool.
but we have one application that is asp.net 2005. (the rest are asp.net 2003) the user application is in asp.net 2003 and that other application is in asp.net 2005.
so each application is in a different application pool. -
one pool to asp.net 1.1 and other pool to asp.net 2.
when I run the asp.net 2005 application
I get the login page and after I login I get the following errer:
HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested Url: /users/Unauthorised.aspx
Important: If I switch the "user" application (the login) to work under the same pool as my asp.net 2005 application, then it works fine with the asp.net 2005 application,but I get the above error for the asp.net 2003 applications
All this happened after we switched to IIS 7 Windows 2008, with IIS 6 it works great!
I have developed an asp.net website. I Have Used Asp.Net membership provider.My Question is , I Have Three Roles , For Eg: Basic, Intermediate, Admin ...Now , i need to apply two roles for single page say basic and admin .... How can i do this ... Plz help me .... Thanx in advance ......
if (Roles.IsUserInRole("Admin") == false) Server.Transfer("AccessDenied.aspx");
I am using classified starter kit for various purposes like for business listing,classified listing and event listing.These are 3 independent application with their membership information stored in their independent database.I have used this 3 listings in a portal .I need a single sign on now.
I tried to do with machinekey & cookie .This way user able to login but as there is no record in that database for that user.So even if he post anything in that application it stores memberid field as zero. So in this case what should be done. i am stuck here since few weeks.
I have two applications with a single domain name ([URL] and [URL]). First one has been developed in .NET 2 and the other one with .NET 4. I have configured web.config as these steps:
1- I've set the same machine key for both of them. 2- I've set the coockie name. 3- I've set the domain name to "domain.com". 4- Also, I've set hardcoded coockie domain name to "domain.com" .
Everything was working fine when both of them were running on a single web server. Recently, I've been asked to move test.domain.com to another server. After moving, authentication ticket is not valid on the second server. I tested both of them on a single server again and everything was workinh fine, but in two servers users can't acces to test.domain.com. (Authentication Ticket is invalid)
Edited: The second server is a virtual (VMWare) server. I don't have any problem in physical servers. I checked the server's time to be synchronized. I also used fiddler to see if the server does not get the auth ticket and ther ticket is sent to the 2nd server. Note: Servers are located in different networks and maybe proxy or firewall causes this (I've no idea)
I have a small project I am working on using web developer express, and I am trying to get windows authentication to work with my intranet website project. This website is only to be accessed inside my LAN and not from the internet at all, so I figured windows authentication would be best.What happens when I turn it on (and I've tested this from multiple browsers: IE8, Firefox, Chrome, Safari) is that the website asks the user to log in (via pop up textbox). Not only does it request the user to log in (which I don't think it should, since the login is based on windows authentication and I am on a windows machine already logged into the internal domain) but it requests the user to login multiple times, sometimes I get asked to log in and type in the same username/password combination 12 different times. It seems to me that the asp page is requesting permission to view each individual element and requires authentication to load one object (like an image or text box).
I am severely annoyed. :( I just wanted authentication to work smoothly without any login requests, or at the mostone request.