We have a Production environment http://abc.contoso.com ( Actual URL changed to ) to which users login using FBA. To verify the same content on the staging server, developers change the URL to http://preview.abc.contoso.com and use the “open redirect” to logon to the site. This works because the cookies for the login are still present in the browser and passed on to the preview site.
Recently, this feature stopped working and gave a custom error.
On examining the Application event logs on staging server we saw the following error:
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/20/2011 5:04:38 AM
Event ID: 1315
Task Category: Web Event
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Eventually we found out that the issue was caused by .Net Framework security patch update which got applied on the Production Windows 2003 SP2 but not on the Staging Windows 2008 SP1 server.
The patch is MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows XP and Windows Server 2003: December 29, 2011 http://support.microsoft.com/kb/2656352
Reason for the behavior
This patch caused the “System.web” DLL located at C:\Windows\Microsoft.NET\Framework64\v2.0.50727 to be updated as on Production box, while Staging box did not get updated. Now the DLL versions became as shown below:
Production : Windows Server 2K3 x64 SP 2 with system.web DLL 2.0.50727.3634
Staging : Windows Server 2K8 R2 x64 SP 1 with system.web DLL 2.0.50727.3618
“System.web” DLL handles the decryption of the Forms Authentication cookie\ticket and it should be of the same version on Source and destination box.
( For detailed read about Microsoft’s implementation of Forms Authentication and encryption and decryption of cookies, these links provide in depth information:
An excerpt from the article above:
The forms authentication ticket is used to tell the ASP.NET application who you are. Thus, ticket is building block of Forms Authentication’s security.
The ticket is encrypted and signed using the <machineKey> configuration element of the server’s Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the<machineKey> element to encrypt forms authentication tickets. The decryption attribute lets you specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering with the ticket value is determined by a failure to decrypt the ticket on the server. As a result, the user will be redirected to the logon page.
If the application is deployed in a Web farm, you must make sure that the configuration files on each server share the same value for the validationKey and decryptionKey attributes in the <machineKey> tag, which are used for hashing and decryption of the ticket respectively. You must do this because you cannot guarantee which server will handle successive requests. For more information aboutFormsAuthenticationTicket )
We uninstalled KB 2656352 from the Production server Windows Server 2K3 x64 SP 2 and this fixed the issue by bringing down the “System.web” DLL to 2.0.50727.3618
This is a temporary solution. Long term solution is to make sure that the patches on all environments match to ensure that “System.web” DLL has the same version.
For this to be easily achieved, it may be required for OS versions also to be same across the environments e.g. either Windows 2003 on all environments or Windows 2008 on all environments or Windows 2008 R2 on all environments etc..
Additionally, event the OS service Packs need to match: If you have Windows 2003 SP1, maintain the same service pack on all environments, if Windows 2008 SP2, then the same service pack across all environments etc..