I'm attempting to do a cross-application SSO between three web-sites I maintain. Two of them are running under .NET 4.0 while the other is running under 2.0. The main site is 4.0, while the remaining 4.0 and 2.0 sites are children running under the main. Both web.configs for the 4.0 and 2.0 sites have authentication settings that look like this:
<machineKey decryption="AES" validation="SHA1" decryptionKey="<decryptkey>" validationKey="<validationkey>"/>
<authentication mode="Forms">
<forms name=".MyAuthenticationTicket" domain=".MyDomain-Org" loginUrl="/Login.aspx" path="/" enableCrossAppRedirects="true" protection="All" timeout="43200" cookieless="UseCookies" />
</authentication>
To be clear: right now the site is running my local box, so the domain above is correct, it is pointing to -Org and not .Org.
Problem is, I can sign in to either site, but the .MyAuthenticationTicket is only being created when I log into the 4.0 site, not the 2.0 site. When I log into that one, no ticket is created. I, however, did discover that when I do log in to it, an ASP.NET_SessionId cookie is created and when I delete that, I am logged out of the 2.0 site. Regardless, I still haven't been able to achieve SSO for my sites.
So... what am I doing wrong here? Anyone have any ideas? Is there a setting I'm missing here?
If you want your ticket to be compatible across versions, you need to set the compatibility version of the forms authentication ticket in your 4.0 applications.