I have a .NET 4.0 application with a 2.0 application as a child. The web applications are not in a multi-server environment; only one server is involved in serving these requests. Both applications are using custom authentication and both applications have the same machineKey attributes and values. When I visit the 2.0 application the event log is showing the following message:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 12/2/2011 11:36:49 AM
Event time (UTC): 12/2/2011 5:36:49 PM
Event ID: 2068ad6957964f75885301fc2b58ddfe
Event sequence: 2
Event occurrence: 1
Event detail code: 50201
I tried setting the ticketCompatibilityMode attribute to Framework20 on the forms element in the Web.config, but that didn't solve the issue. Because of this error, the user isn't being authorized, and as a result the usual objects (HttpContext) isn't being populated with the user information.
Does anyone know how to fix this error so authentication will work for the 2.0 application? (As an aside, I do plan on getting the 2.0 application upgraded to 4.0, but it isn't in the cards to complete at this time)
In case someone comes across this same issue, I was able to fix this error by adding some entries to the <appSettings> section of my .NET 2.0 application's Web.config. The added entries were:
<add key="aspnet:UseLegacyEncryption" value="true" />
<add key="aspnet:UseLegacyMachineKeyEncryption" value="true" />
Edit (2012-05-04): After installing Security Bulletin MS11-100 on the server, the authentication once again broke on the 2.0 application. Adding the following to the Web.config of the 4.0 application fixed the issue:
<add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />