Background:
I have two web applications, set up on different web servers, which are currently both IIS6. Application 1 (A1 - a1.domain.com) uses the forms auth cookie set by application 2 (A2 - a2.domain.com).
In A1 web.config I have:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="http://a2.domain.com/login.aspx" timeout="60" />
</authentication>
In A2 web.config I have:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="domain.com" protection="All" path="/" loginUrl="login.aspx" timeout="60" />
</authentication>
These two applications also share machineKey values in web.config
This works perfectly without any problems.
Problem:
I am upgrading A1 to use .NET 4.0 and run in IIS7, and now the shared forms authentication does not work. I am still redirected to the correct login page on A2 and I can see that it sets the auth cookie, but when I go back to A1 the authentication fails with the following error (from Event Viewer):
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
I have tried:
Setting up upgraded version of A1 in IIS6 (this worked - so no compatibility issues between forms auth in different .NET versions in IIS6)
Setting up upgraded A1 in IIS7 using a local login page i.e. copied login page from A2 into A1 and set A1 loginUrl="login.aspx" (also works)
This has left me guessing that there is some compatibility issue caused by the auth cookie being created under an IIS6 site being used to authenticate users under an IIS7 site.
Does anyone know how to solve this?
