Authenticating Across Virtual Directories

If you have an application set up in a way similar to the previous post, which is essentially a domain that contains a number of web application hosted in various virtual directories on the server.

In my previous example, the root of the domain contains the application that contains the account management (the sign in, password retrieval, account set up, etc.), however each of the applications in each virtual directory must know who is logged in.

Assuming you are using the .NET’s built in authentication mechanisms this is unlikely to work out of the box. There is some configuration that need to happen to allow each of the applications to sync up.

Setting up the web.config file

In MVC 4 Forms Authentication must be set up explicitly.

  <authentication mode="Forms">
  <!-- Other config settings -->

To ensure that each application can decrypt the authentication ticket in the cookie, they all must share the same machine key as by default IIS will assign each application its own encryption and decryption keys for security.

  <machineKey decryptionKey="10FE3824EFDA35A7EE5E759651D2790747CEB6692467A57D" validationKey="E262707B8742B1772595A963EDF00BB0E32A7FACA7835EBE983A275A5307DEDBBB759B8B3D45CA44DA948A51E68B99195F9405780F8D80EE9C6AB46B9FEAB876" />
  <!-- Other config settings -->

Do not use the above key – it is only an example.

These two settings must be shared across each of the applications sitting in the one domain.

Generating a Machine Key

To generate a machine key:

  • Open “Internet Information Services (IIS) Manager” on your development machine.
  • Set up a dummy application so that it won’t affect anything else on the machine.
  • Open up the Machine Key feature in the ASP.NET section

    IIS Manager
    IIS Manager
  • (1) In the “Validation key” section uncheck “Automatically generate at runtime” and “Generate a unique key for each application”.

    Machine Key Configuration in the IIS Manager
    Machine Key Configuration in the IIS Manager
  • (2) In the “Decryption key” section uncheck “Automatically generate at runtime” and “Generate a unique key for each application”.
  • (3) Click “Generate Keys” (this will change the keys randomly each time it is pressed)
  • (4) Click “Apply”

The web.config for this web application will now contain the newly generated machine key in the system.web section. Copy the complete machineKey element to the applications that are linked together.

There is an “Explore” link on the site’s main page in IIS to open up Windows Exporer on the folder which contains the web site and the web.config file.

Data Protection Muppets

I’ve mentioned this topic on my blog before with regard to the Royal Bank of Scotland and Intelligent Finance but this time it was related to an insurance claim. The insurance company put me in contact with a company that would do the repairs and all they had to do was arrange a time and date. However, it wasn’t that simple.

Initially things seemed to be going well until the company in question phoned me to change the date because they wouldn’t have the materials in time. However, first they wanted to go through security screening.

Now, the conversation to this point had gone something like this:

Me: Hello
Them: Hello, is that Colin Mackay [pronounced kae – I HATE that!]
Me: Mackay [pronounced correctly – its a diphthong, a sliding or gliding vowel that goes from ‘ah’ to ‘ee’] Yes.
Them: This is Martindales. We just need to ask you some security questions before we proceed.
Me: How do I know you are who you say you are?
Them: We are Martindales, your insurance company has appointed us…

The conversation went from bad to worse as I tried to explain that what they are doing is socially conditioning people to hand out sensitive information and was then told that they “had to” ask these questions because of the data protection act. The act makes no such requirement. What they have to do is ensure that they are speaking to the correct person so they don’t divulge potentially sensitive information to the wrong person. However, the way they are going about it, while technically in line with the act, is most certainly not within the spirit of the act.

What made it worst was that when I was asked how they could continue the conversation and I gave the solution they had to ask me no fewer than 3 times how they were going to continue the conversation even although I had given them a solution. After that incident they decided they must not have like my simple solution and refused to communicate with me at all for a while.

My solution, incidentally, was this. They would phone me and indicate that they need to speak to me. I would then get the phone number from existing documentation (i.e. a trusted source) and phone their switchboard and ask to be put through to the person that needed to talk to me. They can then go through the security questions as I will then know I am talking to the correct party. When they phone me I have no way of knowing who I am talking to. They could be making it up. If they give me a phone number to use I won’t use it. I will only use trusted sources like documentation from my insurance company, or from the booklet that the insurance assessor left me.

Anyway, Martindales eventually decided that they did need to communicate with me about yet another change in date and sent me a letter. Pity it didn’t arrive until two days after the guy was supposed to show up. In fact he did almost arrive, and I only knew about it because they phoned me just to say that he was running a little late. Muppets!


Moving Databases

If you ever move a database from one SQL Server to another you may come across the situation where the logins no longer map to the users in your database (and that’s assuming that the SQL Server you’ve moved the database to has the same logins).

If the new SQL Server does have the same logins then you can fix the mapping by using sp_change_users_login. The neat thing is that if the user and login names already match then there is an “Auto Fix” setting. And if you just don’t know what is mismatched there is a “Report” option too.

NOTE: This was rescued from the Google Cache. The original was dated Saturday 1st July, 2006.


Claiming my blog in technorati

Now that I’ve moved to this new blog I want to claim it with technorati. My previous blog was claimed relatively easily as I recall. However this time there is a new “Quick Claim” feature. I don’t want to use the “Quick Claim” feature because it requires that I tell technorati my blog’s user name and password and quite frankly I don’t care about their assurances in their privacy policy I’m not handing over that information.

If companies start asking for usernames and passwords to other services a person uses it will desensitise them to the practice and make social engineering easier for the fraudsters. There was a study done about a year ago that showed that many people will hand over passwords for a bar of chocolate. So, perhaps the damage is already done.

Curiously, when I go to make my claim it asks me to chose between different methods of making a claim. Sounds okay. But it only offers me one option. And that is “Quick Claim”.

Any which way you want to look at it. I ain’t handing over that information for what ever reason. Not even for a bar of chocolate.