If broken it is, fix it you should

Using the powers of the debugger to solve the problems of the world - and a bag of chips    by Tess Ferrandez, ASP.NET Escalation Engineer (Microsoft)

Forms authentication fails after installing IIS 7.5

Forms authentication fails after installing IIS 7.5

  • Comments 10

I recently had a customer that just moved from Windows 2008 to Windows 2008 R2 (changing from IIS 7 to IIS 7.5) and after the move they got some weird forms authentication errors in the event log

The problem

They have two applications (MyWebApp and MyLoginWebApp) where forms authentication is dealt with in MyLoginWebApp

<authentication mode="Forms">
  <forms name="MyAppAuth" loginUrl="/MyLoginWebApp/Default.aspx" protection="All" timeout="720" path="/" slidingExpiration="true" />
</authentication>

Once the user is authenticated they are redirected back to MyWebApp but on the redirect, forms authentication fails (and logs events like the below), and redirects back to the MyLoginWebApp application.

Event ID: 1315
Event message: Forms authentication failed for the request
Reason: The ticket supplied was invalid

The two applications are setup to run in different application pools in order to avoid problems occurring in one of the apps to affect the other.

Autogenerated machine keys

Forms authentication requires a machine key to encrypt and decrypt the ticket and this has to be the same on the sending and receiving end.  You can use to specify a manually generated key or use an autogenerated one.

Now, by default when using AutoGenerate machinekeys, the autogenerated machinekey is isolated per application. 

To be able to use the same autogenerated machinekey over multiple applications you need to go in to IIS Manager (on IIS7+) and in the Machine Key settings, uncheck the box for “Generate a unique key for each application”.   If you are running IIS6, you can remove the IsolateApps keyword from the <MachineKey…> tag in Machine.Config to allow for the key to be the same across applications.

If you are crossing applications, and especially if you are in a web farm scenario where you may be crossing machine boundaries, you should consider using a pre-generated Machine Key rather than an autogenerated one.  

Using a manually generated key actually worked for them, but for various reasons they wanted to use an AutoGenerated one and as this worked in IIS 7 they were curious why it didn’t work now.

Troubleshooting

To get to the bottom of the problem I started looking at how these autogenerated keys were stored and what could be causing the two applications to not use the same one.

I found this blog post by Kev talking about exactly that and describing how the autogenkey was stored in the registry.  The blog post actually talks about the exact same issue we are seeing. In his case the reason for the failure was that if the process doesn’t have permissions to write to the registry it has to regenerate the key each time a process starts up.

So just for house keeping, the registry key where the autogenerated key is stored is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys\S-1-5-21-3520846933-1734744541-1252751799-1013

This seemed to fit our problem pretty well.  When you are separating the apps out into different application pools they run in different processes, and if they didn’t have enough permissions to write the key it would be autogenerated at startup (different ones for the different application pools).

The problem was that I could reproduce this, and I could see the autogen keys in my registry so I knew that we didn’t have trouble writing it. 

While looking at this though, I discovered that my two application pools were running under different users (for example the user for the DefaultAppPool was DefaultAppPool and the user for my TestAppPool was TestAppPool). 

Looking back at the registry key, it contains a SID, so the autogenkey is stored on a per user bases, i.e. in our case, since the two processes are running under different users they would have different autogen keys, which explains why we are seeing issues here.

It turns out that there was a change between 7 and 7.5 that Dave wrote about here where they changed the default identity of the application pool from Network Service to an automatically generated AppPool identity.  So this is why there was a difference between 7 and 7.5 when using autogen keys.

The solution

The solution here is rather obvious once you know the background, either you manually generate a key, rather than using an autogen one, or you change the identity of the application pool to the same user for each app pools. 

Have fun,

Tess

  • Nice post .. :)

    Thanks for pointing out the difference in IIS 7 and IIS 7+

    Thanks,

    Mahesh.

  • That linky to my blog entry is broken (dasBlog permalink fail). This is a better one:

    http://blog.zygonia.net/2006/10/26/ASPNET20AspnetregiisGaSwitch.aspx

    Kev

  • Why does it write something 'user-related' to HKLM instead of to HKCU?

    If it is something that contains the user credential anyway, HKLM is not the best place imho.  Ok, you cannot change that (microsoft has to), I know, but perhaps ask them to 'bug fix' .

  • If you have one app that is hosted in IIS 7 running under an IIS APPPOOL account is there a way to make a windows service run under that account so they can use common keys?  I've tried without any luck.  If its not possible, can you explain why?  I'm far from a security guru so its not obvious why that wouldn't work.  I can give the app pool account access to the aspnetdb database in sql server, but I can't set a windows service to run under it.  

  • I realize that I could create my own account to run everything under, but it seems like being able to use the apppool account for everything would be cleaner.

  • Mike,

    Yepp, that would be the way to go... the apppool user is an auto generated account so you can't really use it for much else.

  • So we have the same issue when moving an app from IIS 7.0 to IIS 7.5 but we have a *manually* generated machine key in the web.config of the application which is the same on each of the 4 servers. Session state is held on a SQL Server. When using the application we constantly get the following error as we bounce between servers via the load balancer,

    Event code: 4005

    Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

    We believe we've met all requirements for servers in this configuration but fail to see why this keeps erroring. Any ideas appreciated on troubleshooting or resolving this issue.

  • Yeah... same problem as Matt Duguid. We have two apps, each running on different app pools, same identity, same machine keys.

    Maybe it is because one pool is .Net 2.0 and the other is 4.0?

  • Same problem as Matt and Douglas. Outer app is .Net 2.0, child app is 4.0 Further details of problem here: stackoverflow.com/.../can-an-asp-net-4-0-application-within-an-asp-net-2-0-site-use-the-same-forms-aut

  • Hi, I configured my application pools with same identity. The form authentication is OK when my application running in win32 mode on Windows 2008 R2 machine. But it does not work when my application running with x64 mode on Windows 2008 R2 x64 machine.

    I checked the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys, the key was not created. And I changed the identity of application pools to a user in Administrator group, the key will be created, the form authentication is OK.

    I think this should be permission issue for the identity. But I could not find what are the minimum rights for the identity. I have assigned full control for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys, but it still does not work.

    Could you give me some suggestions?

Page 1 of 1 (10 items)
Leave a Comment
  • Please add 2 and 8 and type the answer here:
  • Post