Forms based authentication not working between .Net 2.0 and .Net 4.0 application

Question

I have several web applications running on an Windows Server 2003 with IIS 6.0.

The applications are running under Asp.net 2.0.

Recently I have installed a

Answer 1

It's one of the breaking changes in ASP.NET 4.0:

Default Hashing Algorithm Is Now HMACSHA256

ASP.NET uses both encryption and hashing algorithms to help secure data such as forms authentication cookies and view state. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.

Your applications might be affected if you run mixed ASP.NET 2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting in the Web.config file:

<machineKey validation="SHA1" />

Answer 2

I had to go the long way and opened a support case with Microsoft.

As it turned out, the relevant security updates from Microsoft Security Bulletin MS11-100 were missing:

http://technet.microsoft.com/en-us/security/bulletin/ms11-100.
Choose your operatingsystem and install the updates for .Net 2.0 and 4.0.

This updates fixed forms-based authentication without reconfiguration of the involved web applications.