IIS6& IIS7 形成身份验证兼容性
背景:
我有两个 Web 应用程序,设置在不同的 Web 服务器上,目前都是 IIS6。应用程序 1 (A1 - a1.domain.com) 使用应用程序 2 (A2 - a2.domain.com) 设置的表单身份验证 cookie。
在 A1 web.config 中,我有:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="http://a2.domain.com/login.aspx" timeout="60" />
</authentication>
在 A2 web.config 中,我有:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="login.aspx" timeout="60" />
</authentication>
这两个应用程序还共享 web.config 中的 machineKey 值
这可以完美运行,没有任何问题。
问题:
我正在升级 A1 以使用 .NET 4.0 并在 IIS7 中运行,但现在共享表单身份验证不起作用。我仍然被重定向到 A2 上的正确登录页面,并且可以看到它设置了身份验证 cookie,但是当我返回 A1 时,身份验证失败,并出现以下错误(来自事件查看器):
表单身份验证失败要求。原因:提供的票证无效。
我尝试过:
在 IIS6 中设置 A1 的升级版本(这有效 - 因此 IIS6 中不同 .NET 版本的表单身份验证之间没有兼容性问题)
使用本地登录页面在 IIS7 中设置升级的 A1,即将登录页面从 A2 复制到 A1 中,然后设置 A1 loginUrl="login.aspx" (也有效)
这让我猜测,在 IIS6 站点下创建的身份验证 cookie 用于对 IIS7 站点下的用户进行身份验证,导致存在一些兼容性问题。
有谁知道如何解决这个问题?
Background:
I have two web applications, set up on different web servers, which are currently both IIS6. Application 1 (A1 - a1.domain.com) uses the forms auth cookie set by application 2 (A2 - a2.domain.com).
In A1 web.config I have:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="http://a2.domain.com/login.aspx" timeout="60" />
</authentication>
In A2 web.config I have:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="login.aspx" timeout="60" />
</authentication>
These two applications also share machineKey values in web.config
This works perfectly without any problems.
Problem:
I am upgrading A1 to use .NET 4.0 and run in IIS7, and now the shared forms authentication does not work. I am still redirected to the correct login page on A2 and I can see that it sets the auth cookie, but when I go back to A1 the authentication fails with the following error (from Event Viewer):
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
I have tried:
Setting up upgraded version of A1 in IIS6 (this worked - so no compatibility issues between forms auth in different .NET versions in IIS6)
Setting up upgraded A1 in IIS7 using a local login page i.e. copied login page from A2 into A1 and set A1 loginUrl="login.aspx" (also works)
This has left me guessing that there is some compatibility issue caused by the auth cookie being created under an IIS6 site being used to authenticate users under an IIS7 site.
Does anyone know how to solve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在 .NET 4.0 中,身份验证票证的加密方式发生了变化。如果您想与旧版本兼容,您可以设置
ticketCompatibilityMode属性,如下所示:In .NET 4.0 the way authentication tickets are encrypted has changed. If you want to be compatible with older versions you could set the
ticketCompatibilityModeattribute like this: