First of all, we know that Forms Authentication is basically configured in the web.config file using following <authentication> element.
<authentication mode="Forms">
<forms name="cookieName" loginurl="Logon.aspx" protection="All" timeout="30"></forms>
</authentication>
Here, 'name' in the <forms> element specifies the name of the cookie that will be created to store logged in user identity. 'loginUrl' specifies the page where anonymous user will be redirected for logon. All value in protection attribute makes sure that forms authentication ticket is encrypted and protected against tampering.
Encryption and validation of authentication tickets are done using the combination of specified algorithms and decryption/validation keys in <machinekey> element in web.config file. Basic outline for <machinekey> element with possible attribute values is shown below:
<machinekey validationkey="AutoGenerate|IsolateApps|value"
decryptionKey="AutoGenerate|IsolateApps|value"
validation="AES|MD5|SHA1|3DES"
decryption="Auto|AES|3DES|DES" />
AutoGenerate indicates random keys to be generated for each web application and IsolateApps specifies that unique keys for each web applications. validation and decryption attributes sets the algorithm to be used for authentication cookies. 'decryption' attribute is introduced in ASP. Net 2.0 and in ASP. Net 1.0/1.1 default decryption used is 3DES.
If you need a single logon to work across multiple applications located in separate virtual directories, you need to share a common authentication ticket. To configure a common authentication ticket, you must manually generate validationKey and decryptionKey values and ensure that each application shares these values.
If you want to share tickets across all applications on your server you can set these manual values on the <machinekey> element in the machine level Web.config file.
To share tickets across specific applications, you can use a <machinekey> element with common validationKey and decryptionKey values in the relevant application's Web.config files.
You should also make sure that cookie name and protection attributes set in <forms> element are same across all other web.config files.
Example machineKey element is shown below:
<machinekey validationkey="5994662690E9A40938F7C0A35A2B46AE0E1B315006864C9D5B6B5D44F405901EB49A1793DC93B1994EE4CD4BCD2B4C88A5078327B56683FF4F719568F9043922" decryptionkey="128034A8B2BF22E1BF846B5BF88FEB93C1C62077E0B08886" validation="SHA1" decryption="3DES"/>
Important point to note is that here decryption attribute is set to 3DES and this is needed when sharing authentication tickets between ASP. Net 1.1 and 2.0 applications,
you have to set this decryption="3DES" in web.config of v2.0 applications.
More information on configuring <machinekey> element is here
Also make sure that when user is authenticated in logon page, a call to method FormsAuthenication.SetAuthCookie() is there. This method sets authentication cookie for the specified user for the current browsing session. SignOut() method of this class clears forms authentication cookies and logs off the current user from all other web applications also in a web farm environment with single sign-on.
Listed below are resources available to generate values for validationKey and decryptionKey for <machinekey> element:
http://aspnetresources.com/tools/keycreator.aspx
http://www.developmentnow.com/articles/machinekey_generator.aspx
Cheers,
