<foreword>Please read this explanation of Forms Based Authentication (FBA) first if you are unfamiliar with how FBA works or is implemented. </foreword>
Achieving single sign-on capabilities using Forms Based Authentication is much easier than I had initially expected, yet it took awhile to find the exact settings required. To get FBA working in SharePoint click here for a good starter from the SharePoint team blog. I also used this article from MSDN as a reference for ultimately determining what settings were necessary in our environment.
Small back story for what we are doing. We have a SharePoint farm that has split authentication: Windows Integrated for users on the network at the office and FBA for users out in the field on the extranet. Separate from our SharePoint farm is a .Net web application to assist with password reset and registration. When the user logs in to SharePoint via FBA they are redirected to the external application if there is any problem with their account. We wanted to implement single sign-on between the applications so that a user wasn’t re-prompted for credentials after the redirect.
The general solution involved the following main items:
- Changes to both applications’ web.config files
- Configuring host headers for each app to be in the same domain lookup
- 1 line of code to read authentication cookie
So let’s review what was added to get this working starting with the web.config entries.
<system.web>
<authentication mode="Forms">
<forms name="nameOfCookie"
loginUrl="loginPage.aspx"
path="/"
domain="mydomain.com"
protection="All"/>
</authentication>
<machineKey validationKey="value" decryptionKey="value"
validation="value" decryption="value" />
</system.web>
For the web.config entries you’ll need to ensure that both apps are set to Forms authentication. Next specify a “name” value which will be used to identify your authentication cookie on the receiving application. By default this value is “.ASPXAUTH”. Specify the domain that each web application will be run under. Using host headers your site URLs might look like “site1.mydomain.com” and “site2.mydomain.com”. Specify protection=”All” so that the authentication cookie is encrypted using the machineKey value that you specify. Lastly provide identical machineKey entries on each web application so that both can read the authentication cookie provided by each other. I used a free random machine key generator in my development environment, but you’ll probably want your security team to handle generating and keeping track of keys for non-development environments.
string loggedInUser = FormsAuthentication.Decrypt(Request.Cookies.Get("cookieName").Value).Name
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#528042thanks for share
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564372Hi.Here it is said that you need to manually fetch authenticated user data from cookies on SharePoint side.Does it mean that SharePoint does not do it automatically?My problem is that when I log in on asp.net login form, then the sharepoint starts throwing 500 internal server error, and on login page it says argument exception. It seems to be related to claims, but I’m not sure.Question: is it possible to share the authentication cookies between asp.net and sp2010 without manually getting the cookie user from cookies?Thanks.
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564414Tengiz, This article was written for SharePoint 2007 Forms Based Authentication, but many of the concepts apply to 2010 as well. I’m still new to Claims Based Authentication so I’m not sure how that changes up what happens at the lower levels. As for passing cookies between the applications, if they contain the same machineKey values in the <system.web> entry in the web.config then they should be automatically opened by each other. My line to manually decrypt the cookie was so that we could get the user name in the destination application. It is not necessary for this sharing to work. Let me know if you have further questions.
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564560Brian,Thanks for your reply.Actually, when making machinekey elements look the same way the cookie gets passed through, but the sharepoint throws an error saying “ArgumentException – parameter name: encodedValue”. – This proves that the cookie gets passed correctly; and as soon as I remove the cookie (by signing out on asp.net site), the error on sharepoint dissapears.That makes me think that sharepoint makes some special kind of encoding/decoding, which is not compatible with asp.net standard way.So, I guess cookie needs to be created on asp.net side using some special way. And right now I have no clue what to do with it.
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564606i also tried to implement same way as in this article, was as Tengiz is doing..Login with asp.net Application and redirect to sharepoint site after Validation and write authentication cookies… <authentication mode=”Forms”> <forms loginUrl=”http://btwin7:1000/Login.aspx?APPS=http://btwin7:8000″ enableCrossAppRedirects=”true” path=”/” protection =”All” timeout=”2880″ /> </authentication>Getting same issue.. 500 internal server errori traced authenticaton cookie using fiddler tool. both time applcation(sharepoint and asp.net applcation) gives differrent size of authenticaton cookie.help us to implement this…
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564658Praveen, I’m sorry to say that I’m not sure where your error is occurring. This topic is not one of my strong areas of expertise. I relied on other sources (like the two articles I linked to above) for most of my information.
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#578106Hi Guys Did any of you had implemented this in Share Point 2010 and made it working .If not do you know of any alternative method because i had implemented this in 2007 and it works just fine but in 2010 i am getting errors
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#630849has anybody succeeded in implementing SSO between asp.net and Sharepoint 2010 FBA configured with ldapmembership?
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#634226Hello Brian,Good post .I have a question .I have a Sharepoint application that uses split authentication . Once the user is logged in Sharepoint (they could be internal users from the AD or external users validated against a custom table ) ,I need to redirect the user from Sharepoint to custom web app and pass the authentication cookie to the web app. In your post you talk about redirection only when the users login via FBA in Sharepoint.Would this work in both the following scenarios1)User A is validated against AD in Sharepoint and when logged in is redirected to Web App . 2)User B logs in to Sharepoint.Being an external user, they are validated against a table and then once logged in ,they are a directed to Web App.Are there additional steps I need to do for this ?I appreciate your help.Thanks,Raja
LikeLike
Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#634371Raja,How are external users logging in? Are they using NTLM, FBA, ADFS, or another authentication provider?If you set your web application to allow multiple authentication providers (ex. NTLM and FBA), you will automatically get a login page where they will choose their authentication method. You can place logic on that page to handle different sets of users in different fashions (ex. any request from a user with an internal IP address follows route 1 in your scenario and external IPs follow route 2).You can create a custom login page using the steps on this blog post:http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx
LikeLike