ichi.co.uk

Using ASP.Net Forms Authentication on Load Balanced Servers

We recently started using HAProxy to load balance between two application servers for both HTTP and HTTPS traffic. It was really easy to get working, has worked great so far and we’re really pleased with it. The only issue we had was with our login cookies, which are set via FormsAuth, as when logging in our visitors use HTTPS and might get a different server to the one they were ‘stuck’ to with HTTP which uses a cookie to ensure the same server. HAProxy can’t read a cookie from an SSL stream as the connection isn’t terminated at the proxy, it is still terminated at the web application server (you can end HTTPS connections at the proxy by installing a webserver on it as well though). For us this was an easy fix however. 

From the Microsoft article on FormsAuth:

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

With manually generated key values, the <machineKey> settings should be similar to the following example.

<machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

If you want to isolate your application from other applications on the same server, place the <machineKey> in the Web.config file for each application on each server in the farm. Ensure that you use separate key values for each application, but duplicate each application’s keys across all servers in the farm.

To generate a Machine Key, simply go to this handy webpage and generate a new key. You can then either add it just after the <system.webelement to your application’s local web.config or to the root web.config which will be in your .Net installation folder (something like C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config).

After you have done this on all your servers, you can check them all by going into IIS and selecting Machine Key where you can see if each server is using the correct keys.

However, after doing this it still wasn’t working for us. After a little digging about we realised we hadn’t installed any Windows Updates on the new server. I think it was specifically this one that was stopping it working, but after a full update and a reboot it all worked just fine.

An easy way to copy your ssh public key to a remote host using ssh-copy-id on OSX

Here is a good little tip to save you some time uploading your public key to a remote host (tested to work on OSX Lion).

ssh-copy-id copies your key up to a remote host (via ssh with your password) and even assigns the correct permission to home, ~/.ssh, and ~/.ssh/authorized_keys directories for you.

For some reason it doesn’t ship with OSX, but you can just copy it from your remote linux host and it’ll work fine.

First copy ssh-copy-id down from your remote host…

sudo scp user@host.mydomain.com:/usr/bin/ssh-copy-id /usr/bin

Make sure it has execute permissions with…

sudo chmod +x /usr/bin/ssh-copy-id

Upload your key to the remote host (this will ask your for your password)…

ssh-copy-id -i ~/.ssh/id_rsa.pub user@host.mydomain.com

You should see output like this…

Now try logging into the machine, with "ssh 'user@host.mydomain.com'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Hopefully, that’s it. Next time you want to copy your public key up to a new host, you’ll just need to do the final step each time.

If you get the error “/usr/bin/ssh-copy-id: ERROR: No identities found" when you try to copy your key up, it’s basically because it can’t find your local public key file that you’ve specified (~/.ssh/id_rsa.pub in the example above). Have a look in your ~/.ssh/ to see if your public key is there and what the file is called (I’ve seen id_dsa.pub before as well).