SSO Forms Authentication issue. Unable to decrypt authentication cookie

Question

I'm trying to develop SSO authentication between 2 web applications, application A and application B. Application A is MVC 4 application and application B is MVC 3 application.

What should happen is:

1. When a user tries to access application B, he will be redirected to the login page of application A
2. After he logs in to application A, he will be redirected to application B

What actually happens is:

1. User tries to access application B, he gets redirected to application A for login
2. User logs in to application A, he gets redirected to application B
3. Here something is wrong, because application B redirects the user back to application A for login as if he's not logged in yet

I've done these steps to figure out what's wrong:

1. Confirmed that the authentication cookie is being passed to application B
2. Confirmed that machine key validation and decryption key is the same for both applications in web.config
3. Confirmed enableCrossAppRedirects is enabled in web.config
4. I used the code in this forum post to find out if both applications are able to decrypt the authentication cookie: http://forums.asp.net/t/1762166.aspx/1
5. The authentication cookie is successfully decrypted in application A but not in application B. Application B gives "Unable to validate data" exception during FormsAuthentication.Decrypt method

Can anyone help me with this? Why did the decryption failed even though they're using the same machine key? Can I even still rely on this authentication method? Because this article says that it's not reliable anymore. http://blog.appharbor.com/2012/02/22/asp-net-forms-authentication-considered-broken

Thanks!

Answer 1

Uf.. finally found the issue. The problem was because application A is targeting .NET Framework 4.5 and application B is targeting .NET Framework 4.

I suspected this before but apparently changing the target framework in the Project Properties is not enough. You have to add this <httpRuntime targetFramework="4.5"/> to application B web.config to make it works.