How do I implement single sign on using forms authentication?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


If you need a single sign on to work across multiple applications located in separate virtual directories, you need to share a common authentication ticket which can be decrypted and integrity checked by every application.

For this you must manually generate validationKey and decryptionKey values and set these values on the <machineKey> element in the machine level Web.config file. Additionally you must ensure that the name and path attributes in the <forms> element is same for each application.

To generate cryptographically random keys, use the RNGCryptoServiceProvider class to generate a cryptographically strong random number. The key must be a minimum of 40 hexadecimal characters (20 bytes) and a maximum of 256 hexadecimal characters (64 bytes) long.

using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;
class App
 static void Main(string[] argv) 
   int len = 128;
   if (argv.Length > 0)
       len = int.Parse(argv[0]);
   byte[] buff = new byte[len/2];
   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
   StringBuilder sb = new StringBuilder(len);
   for (int i=0; i<buff.Length; i++)
         sb.Append(string.Format("{0:X2}", buff[i]));

Use the generated keys to configure machineKey settings in your Web.config file as follows. Use separate keys for validationKey and decryptpionKey.

<machineKey validationKey="Hsbfb636576sahfj\mfhhshnj234235"  
           validation="SHA1" decryption="Auto" />

More Information

For information about how to generate manual key values and MachineKey configuration, see “How To: Configure MachineKey in ASP.NET 2.0 at

Personal tools