Setting up persistent forms authentication on multiple servers and subdomains
I\'m trying to set up forms authentication across multiple servers and subdomains. I have static machine keys set up for each application like so:
-
So, after a long slog I discovered MS security bulletin MS11-100, which patches an elevation of privilege vulnerability in forms authentication. Unfortunately, the patch is not backwards compatible. It was applied to our load balanced servers, but not to the server hosting the application that created the initial log-in, which meant that the balanced servers couldn't deserialize the authentication ticket written by the app server.
Per the MS deployment guidance article, if you find yourself in this situation, you can add
<add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />to the
appSettingssection in the web.config for applications on the machines with the patch installed (or to the machine-level config). Or, better yet, make sure you're hosting management company applies the patch to all of your servers at the same time...讨论(0) -
For me it works adding this keys in the appsettings:
<add key="aspnet:UseLegacyEncryption" value="true" /> <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />讨论(0)
加载中...
- 热议问题