search

Letractively / securityswitch

Automatically exported from code.google.com/p/securityswitch
Other
0 stars 0 forks source link

CrossAppRedirect with SecuritySwitch #8

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Log into site A.
2. Redirect to site B.

What is the expected output? What do you see instead?
I expect the redirect to work, but I am getting an Information message in the 
Event Log that says:

Forms authentication failed for the request. Reason: The ticket supplied was 
invalid. 

If I remove SecuritySwitch from the equation, my solution goes back to working. 

My sites are setup to use CrossAppRedirection and my web.config <forms> tag is 
setup as so:

    <authentication mode="Forms">
      <forms name=".ASPXFORMSAUTH" protection="All" enableCrossAppRedirects="true" loginUrl="~/login/default.aspx" timeout="2880" slidingExpiration="true" ticketCompatibilityMode="Framework40" domain=".mydomain.com" requireSSL="true" />
    </authentication>

I do have matching <machinekey> tags as I have stated above that the redirect 
works without SecuritySwitch in place.

What version of the product are you using? On what operating system?
4.0.4063

Please provide any additional information below.

Original issue reported on code.google.com by rattri...@gmail.com on 29 Mar 2011 at 3:04

GoogleCodeExporter commented 8 years ago 
What does your securitySwitch configuration section look like with regards to 
the base URI attributes and the login path entry?

Original comment by vent...@gmail.com on 29 Mar 2011 at 11:20

GoogleCodeExporter commented 8 years ago 
Most of the time, these issues are related to the authentication setup or some 
proxy or other in-the-middle device causing issues.

First, setting requireSSL to true will likely cause issues when you access 
pages without SSL. If you have pages that you want users to get to via HTTP 
after logging in, and you still need to get at their username/authentication 
ticket, it won't work with this setting. The browser will only send the auth 
ticket (which is a cookie) if the request is made via HTTPS.

Second, I question that you set the forms auth domain to ".mydomain.com". The 
leading period may cause some issue as well. Have you tried setting the domain 
to just "mydomain.com"?

Original comment by vent...@gmail.com on 2 Apr 2011 at 6:44

GoogleCodeExporter commented 8 years ago 
I apologize for taking so long to get back with you. It appears as if the 
requireSSL setting was what was causing this to blow up. Thank you very much 
for getting my head straight as I thought I had tried every possible 
combination.

Original comment by rattri...@gmail.com on 21 Apr 2011 at 1:02

GoogleCodeExporter commented 8 years ago 
I'm glad you got it figured out!

Original comment by vent...@gmail.com on 21 Apr 2011 at 9:39