Getting ASP.Net authentication to work on a web farm

Getting ASP.Net authentication to work on a web farm

You've built your website. You've tested it locally. You upload it to your hosting provider and everything seems fine. Then you notice that when you're browsing pages controlled by authentication, you keep getting logged out. Luckily it's simple to solve.

Hosting a website on a web farm or load balanced server, introduces some issues that you will not see when testing your application in a single server environment. One of them is authentication.

Gimme the low down

When a user logs in, an authentication ticket is created. This is stored within a cookie and allows to user to navigate the site without having to log in every time.

When your application runs a machineKeyis created. This is used to sign the authentication ticket. When a user’s authentication is checked by the server this machineKey is used to decrypt the ticket.

The problem

By default a machineKey is automatically generated when the application is started. When hosted on a web farm each server with have a different machineKey. One server with authenticate you and create an authentication ticket. Then when you browse to a different section of the site, that request may go to a different server. The server will check your ticket against its machineKey, this will be invalid and the user will be redirected to the login page.

Specifying the machineKey

Luckily we can specify the machineKey ourselves within the web.config. All servers will now use the same key and will not auto generate one on application start. To do this we will need to generate a key which can be done via this site http://aspnetresources.com/tools/machineKey. This will generate a key like so.

<machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
           AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

Include this in your web.config under <system.web>. Now when you deploy to your web farm, all servers will use the same machineKey and your users will stay logged in.

Resources:

MSDN - Explained: Forms Authentication in ASP.NET 2.0

MSDN - machineKey Element