I'm doing SSO between a .NET 2.0 site and a .NET 4.0 site using the same domain but different subdomains. Everything works fine in the development environment on a single machine but I can't get the 4.0 production site to accept the auth cookie that's generated by the 2.0 production site. These two sites are on separate servers, one running IIS 6 with only the 2.0 framework installed, and the other running IIS 7.5 with the 4.0 framework installed. I've read all the other answers to other questions that point out problems with the <machineKey> element and the <authentication><forms> element and, trust me, all of that stuff is set up properly and all 4 sites have the exact same property values for those elements.
At first I thought it was an issue with encryption, but when I took a closer look at what was going on with Fiddler I saw that the auth cookie is being correctly passed in the request, but seems to disappear at some point and is then not available in the Request.Cookies collection.
The 4.0 production site is behind a load balancer, but there are currently no other servers online in the web farm. Could the load balancer be dropping the cookie somehow? Is the cookie not added to the Request.Cookies collection because it's not a valid auth cookie? If so, why isn't it valid?
To sum up, when I execute the following on the requested page:
HttpCookie AuthCookie = Request.Cookies.Get(".SSOAUTH");
AuthCookie is null, even though I can see a cookie with that name in the request headers in Fiddler.
The authentication ticket might not be valid due to different encryption algorithms on each server. This can happen when some MS security updates are applied to one server but not the other. If the cookie does not contain a valid value it will not be added to the Request.Cookies collection, even though it is passed in the request.