OWIN Authentication cookie sharing between ASP.NET MVC and Webforms Applications with same MachineKey

6
votes

I have a legacy webforms application and are building out a new MVC version to replace it. Both need to run side by side for some time and I need single sign on to work. Previously, the users logged in via the webforms application and I was successfully able to set forms authentication such that the MVC application could authenticate via the cookie.

New login forms are now completed in the MVC app and users will now be required to login from these. The MVC application uses Identity 2.x and OWIN. I originally attempted to configure the OWIN cookie to match match the settings in the legacy webforms app but could not get the webforms app to read the cookie and authenticate a user.

Since then I decided to install Indentity 2.x and OWIN into the webforms application. I have made the settings identical. Expiry is 30 mins and the Domain is "" and Path is "/". I can see the cookie being generated from the MVC app but it isn't being picked up by the webforms application. I keep receiving the Access Denied message.

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieName = Settings.Default.CookieName,
            CookiePath = Settings.Default.CookiePath,
            CookieDomain = Settings.Default.CookieDomain,
            LoginPath = new PathString(Settings.Default.CookieLoginPath),
            ReturnUrlParameter = Settings.Default.CookieReturnUrl,
            ExpireTimeSpan = Settings.Default.CookieExpireTimeSpan,
            SlidingExpiration = Settings.Default.CookieSlidingExpiration,
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

I have left the machinekey settings (which previously worked for forms authentication) the same. I did however removed the forms authentication from both configuration files.

Have I mis-configured something or is there more configuration required to enable sharing of the OWIN cookie between applications with the same machinekey?

UPDATE

  1. Created a new webforms application with Individual User Accounts.
  2. Added the MachineKey
  3. Changed the configuration of the MVC app the standard settings (replicating a new project)

The new webforms app lists the cookie but will still not authenticate the user.

UPDATE See answer below.

1
asp.net-mvcauthenticationwebformssingle-sign-onowin

1 Answers

2
votes

After creating two new applications and getting this to work I hade a baseline and worked backwards from there until I achieved the goal of Single Sign on between the appications. I discovered many things including;

  1. The MachineKey is not required for single sign on between app for 4.5 and above. <httpRuntime targetFramework="4.5"/> is all you require.
  2. Turn forms authentication off
  3. And most importantly don't attempt to integrate Identity 2.x and OWIN manually by copying from a base project as you are likely to miss a namespace or important file. The project will build and run and literally drive you bonkers whilst you try to find what you missed. Use the nuget packages and delete what you don't need.

So in the end I did need to add Identity 2.x and OWIN into my legacy webforms app, basically upgrading to the new authentication pipeline in 4.5 to make it work.

Hope this post helps save somebody some valuable time and effort.

IMPORTANT UPDATE: When attempting to deploy in IIS even though you do not have any machine keys specified in the configuration (and that works locally) it won't work when deployed. In the end I used the MVC app as the parent and the legacy webforms app as a child and this required that the parent app have the following configured;

<machineKey decryptionKey="AutoGenerate" validationKey="AutoGenerate" />