Customers are reporting receiving the following errors after patch installation:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
This is an ASP.NET 3.5 SP1 app running on an IIS 6 webfarm. All members of the webfarm already had matching decryption and validation keys in their root web.config files before the patch - only thing that has changed is patch installation. Could this have
something to do with stored auth cookies on the users' systems?
Exact same issue here. I double checked all three servers and the machine.config and web.config's of the sites have matching validation and decryption keys along with validation="SHA1" decryption="3DES" still set identically.
Is the authentication info persistent (i.e., auth cookie persists in the browser system)? Yes, this would break because the encrypted form of the cookie has changed with the addition of the HMAC. When the persisted encrypted ticket is resubmitted (the
forms auth cookie resubmitted), it will fail validation. As mentioned, changing the auth cookie name is one way to expire everyone's persisted auth, because, in essence, they will be non-existent and new ones will be issued after authentication.
We're having a similar issue except when trying to have single sign on turned on across multiple applications on the same w2k8 server (one asp.net 1.1 and some 3.5sp1). We've install all the patches but now the 3.5sp1 apps cannot see the authentication
from the 1.1 app as they could before the patch was applied.
We've tried changing the authentication cookie name, updating the machine keys, cycling the worker processes, rebooting server. Nothing resolves problem.
We are having the same issue on 2003 servers. The thing is, we have seven servers but only two of them are having the problem. Update: turns out we only have the updates installed on two servers.
We are having the same issue on 2003 servers. The thing is, we have seven servers but only two of them are having the problem. Update: turns out we only have the updates installed on two servers.
Is this a webfarm? You need to install the patch on all members of a webfarm.
We've seen similar issues on a fews Apps that aren't using central login. Setting UseLegacyEncryption fixed that temporarily. Trying to nail down the source.
owjeff
Member
136 Points
37 Posts
Forms Auth failure after patch install
Sep 30, 2010 06:35 AM|LINK
Customers are reporting receiving the following errors after patch installation:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
This is an ASP.NET 3.5 SP1 app running on an IIS 6 webfarm. All members of the webfarm already had matching decryption and validation keys in their root web.config files before the patch - only thing that has changed is patch installation. Could this have something to do with stored auth cookies on the users' systems?
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
NXTwoThou
Member
167 Points
66 Posts
Re: Forms Auth failure after patch install
Sep 30, 2010 01:00 PM|LINK
Exact same issue here. I double checked all three servers and the machine.config and web.config's of the sites have matching validation and decryption keys along with validation="SHA1" decryption="3DES" still set identically.
owjeff
Member
136 Points
37 Posts
Re: Forms Auth failure after patch install
Sep 30, 2010 01:14 PM|LINK
We had the dev's change the name of the forms auth cookie - thereby expiring everyone's login. That may have solved it - still trying to confirm.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
pitz
Member
54 Points
14 Posts
Re: Forms Auth failure after patch install
Sep 30, 2010 05:07 PM|LINK
Is the authentication info persistent (i.e., auth cookie persists in the browser system)? Yes, this would break because the encrypted form of the cookie has changed with the addition of the HMAC. When the persisted encrypted ticket is resubmitted (the forms auth cookie resubmitted), it will fail validation. As mentioned, changing the auth cookie name is one way to expire everyone's persisted auth, because, in essence, they will be non-existent and new ones will be issued after authentication.
micahmarkman
Member
2 Points
1 Post
Re: Forms Auth failure after patch install
Oct 01, 2010 07:25 PM|LINK
We're having a similar issue except when trying to have single sign on turned on across multiple applications on the same w2k8 server (one asp.net 1.1 and some 3.5sp1). We've install all the patches but now the 3.5sp1 apps cannot see the authentication from the 1.1 app as they could before the patch was applied.
We've tried changing the authentication cookie name, updating the machine keys, cycling the worker processes, rebooting server. Nothing resolves problem.
Any suggestions?
gabpaiz3
Member
2 Points
1 Post
Re: Forms Auth failure after patch install
Oct 01, 2010 07:40 PM|LINK
We are having the same issue on 2003 servers. The thing is, we have seven servers but only two of them are having the problem. Update: turns out we only have the updates installed on two servers.
Weerdo
Member
4 Points
2 Posts
Re: Forms Auth failure after patch install
Oct 05, 2010 10:42 AM|LINK
owjeff
Member
136 Points
37 Posts
Re: Forms Auth failure after patch install
Oct 05, 2010 06:21 PM|LINK
Is this a webfarm? You need to install the patch on all members of a webfarm.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
beetz12
Member
16 Points
3 Posts
Re: Forms Auth failure after patch install
Oct 05, 2010 10:06 PM|LINK
We are using .net framework 3.5 and .net 1.1 with a central login page and are having the same issue.
I found a partial solution to this issue. However it requires uninstalling .Net Framework 1.1 Security Patch (KB2416477)
After you uninstall this patch, we just had to add the following line to web.config file in the 3.5 framework web solution to resolve the problem.
<appSettings>
<add key="aspnet:UseLegacyEncryption" value="true" />
</appSettings>
If anyone has found a way to make legacy encryption work after installing the 1.1 security patch and others, please share your solution.
Regards,
Beetz12
owjeff
Member
136 Points
37 Posts
Re: Forms Auth failure after patch install
Oct 07, 2010 11:08 PM|LINK
We've seen similar issues on a fews Apps that aren't using central login. Setting UseLegacyEncryption fixed that temporarily. Trying to nail down the source.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."