Single Sign-On Across .Net Web Apps Using Forms Based Authentication

Brian T. Jackett Authentication

     <foreword>Please read this explanation of Forms Based Authentication (FBA) first if you are unfamiliar with how FBA works or is implemented. </foreword>

    Achieving single sign-on capabilities using Forms Based Authentication is much easier than I had initially expected, yet it took awhile to find the exact settings required.  To get FBA working in SharePoint click here for a good starter from the SharePoint team blog.  I also used this article from MSDN as a reference for ultimately determining what settings were necessary in our environment.

    Small back story for what we are doing.  We have a SharePoint farm that has split authentication: Windows Integrated for users on the network at the office and FBA for users out in the field on the extranet.  Separate from our SharePoint farm is a .Net web application to assist with password reset and registration.  When the user logs in to SharePoint via FBA they are redirected to the external application if there is any problem with their account.  We wanted to implement single sign-on between the applications so that a user wasn’t re-prompted for credentials after the redirect.

     The general solution involved the following main items:

  • Changes to both applications’ web.config files
  • Configuring host headers for each app to be in the same domain lookup
  • 1 line of code to read authentication cookie

 

    So let’s review what was added to get this working starting with the web.config entries.

<system.web>
   <authentication mode="Forms">
      <forms name="nameOfCookie"
         loginUrl="loginPage.aspx"
         path="/"
         domain="mydomain.com"
         protection="All"/>
   </authentication>
   <machineKey validationKey="value" decryptionKey="value"
       validation="value" decryption="value" />
</system.web>

    For the web.config entries you’ll need to ensure that both apps are set to Forms authentication.  Next specify a “name” value which will be used to identify your authentication cookie on the receiving application.  By default this value is “.ASPXAUTH”.  Specify the domain that each web application will be run under.  Using host headers your site URLs might look like “site1.mydomain.com” and “site2.mydomain.com”.  Specify protection=”All” so that the authentication cookie is encrypted using the machineKey value that you specify.  Lastly provide identical machineKey entries on each web application so that both can read the authentication cookie provided by each other.  I used a free random machine key generator in my development environment, but you’ll probably want your security team to handle generating and keeping track of keys for non-development environments.

    The next step involved configuring each site to use host headers assigned to the same domain.  This article from TechNet gives a brief intro to get you started.  As stated just above, I configured the web app URLs to appear as “site1.mydomain.com” and “site2.mydomain.com” to match my entries in the web.config.
    Lastly is the code required to read the authentication cookie.  If you read the explanation article linked in the foreword above you’ll read that after logging in using forms authentication, the authentication cookie containing the currently authenticated user (along with other data) is passed along with responses back to the server.  Due to this fact, on the receiving page in the other web application we can decrypt the cookie and read who is currently authentication even though they never logged in again to the the other application.  Here is the code to explicitly reference that cookie.
string loggedInUser = FormsAuthentication.Decrypt(Request.Cookies.Get("cookieName").Value).Name
    And that wraps up the changes to my web apps to allow single sign-on for forms based authentication.  If your web applications are SSL enabled I believe there are a few additional settings you’ll need, but they should be covered in the links I provided.  I hope this helps you or at least gives you some good resources to refer to for FBA.  If you have any questions, comments, or other feedback feel free to leave it below.
 
    -Frog Out

10 thoughts on “Single Sign-On Across .Net Web Apps Using Forms Based Authentication

  2. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564372Hi.Here it is said that you need to manually fetch authenticated user data from cookies on SharePoint side.Does it mean that SharePoint does not do it automatically?My problem is that when I log in on asp.net login form, then the sharepoint starts throwing 500 internal server error, and on login page it says argument exception. It seems to be related to claims, but I’m not sure.Question: is it possible to share the authentication cookies between asp.net and sp2010 without manually getting the cookie user from cookies?Thanks.

    Like

    Reply

  3. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564414Tengiz, This article was written for SharePoint 2007 Forms Based Authentication, but many of the concepts apply to 2010 as well. I’m still new to Claims Based Authentication so I’m not sure how that changes up what happens at the lower levels. As for passing cookies between the applications, if they contain the same machineKey values in the <system.web> entry in the web.config then they should be automatically opened by each other. My line to manually decrypt the cookie was so that we could get the user name in the destination application. It is not necessary for this sharing to work. Let me know if you have further questions.

    Like

    Reply

  4. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564560Brian,Thanks for your reply.Actually, when making machinekey elements look the same way the cookie gets passed through, but the sharepoint throws an error saying “ArgumentException – parameter name: encodedValue”. – This proves that the cookie gets passed correctly; and as soon as I remove the cookie (by signing out on asp.net site), the error on sharepoint dissapears.That makes me think that sharepoint makes some special kind of encoding/decoding, which is not compatible with asp.net standard way.So, I guess cookie needs to be created on asp.net side using some special way. And right now I have no clue what to do with it.

    Like

    Reply

  5. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#564606i also tried to implement same way as in this article, was as Tengiz is doing..Login with asp.net Application and redirect to sharepoint site after Validation and write authentication cookies… <authentication mode=”Forms”> <forms loginUrl=”http://btwin7:1000/Login.aspx?APPS=http://btwin7:8000″ enableCrossAppRedirects=”true” path=”/” protection =”All” timeout=”2880″ /> </authentication>Getting same issue.. 500 internal server errori traced authenticaton cookie using fiddler tool. both time applcation(sharepoint and asp.net applcation) gives differrent size of authenticaton cookie.help us to implement this…

    Like

    Reply

  9. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#634226Hello Brian,Good post .I have a question .I have a Sharepoint application that uses split authentication . Once the user is logged in Sharepoint (they could be internal users from the AD or external users validated against a custom table ) ,I need to redirect the user from Sharepoint to custom web app and pass the authentication cookie to the web app. In your post you talk about redirection only when the users login via FBA in Sharepoint.Would this work in both the following scenarios1)User A is validated against AD in Sharepoint and when logged in is redirected to Web App . 2)User B logs in to Sharepoint.Being an external user, they are validated against a table and then once logged in ,they are a directed to Web App.Are there additional steps I need to do for this ?I appreciate your help.Thanks,Raja

    Like

    Reply

  10. Originally posted on: https://briantjackett.com/archive/2009/09/03/single-sign-on-across-.net-web-apps-using-forms-based-authentication.aspx#634371Raja,How are external users logging in? Are they using NTLM, FBA, ADFS, or another authentication provider?If you set your web application to allow multiple authentication providers (ex. NTLM and FBA), you will automatically get a login page where they will choose their authentication method. You can place logic on that page to handle different sets of users in different fashions (ex. any request from a user with an internal IP address follows route 1 in your scenario and external IPs follow route 2).You can create a custom login page using the steps on this blog post:http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

    Like

    Reply

Leave a comment