Deployment guidance for security update 2638420, as described in MS11-100
Security update 2638420 (described in security bulletin MS11-100) changes the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, if you use applications that use forms authentication, you must take specific steps when you deploy security update 2638420 to make sure that all servers use the new behavior concurrently.
Because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy security update 2638420 to make sure that all servers switch to the new behavior concurrently.
To determine whether your application uses forms authentication, examine the System.web file. Applications that use forms authentication use the following entry in System.web file:
The default authentication mode is "Windows."
ASP.NET only uses forms authentication if it is explicitly configured to do so.
If you use applications that use forms authentication, you must deploy security update 2638420 by using one of the following methods to make sure that your websites continue to work correctly.
Deploy security update 2638420 to all active servers in your ASP.NET web farm at the same time. To do this, follow these steps:
Remove half of the servers in the web farm from the load balancer rotation.
Install the update on those servers.
Add the servers back into the rotation while concurrently taking the remaining servers offline to be updated.
If you cannot deploy security update 2638420 to all the servers in your web farm concurrently, use this method instead.
Note We do not recommend this method. When you set this switch, you can install the security update on some servers in the web farm and continue to function by using the old behavior. However, servers that use this configuration switch will be in a nonsecure state, and will not benefit from all the fixes in the security update. Therefore, the configuration switch should be removed to enable the new secure behavior as soon as security update 2638420 is deployed to all the servers in the web farm.
Set a compatibility switch in the Web.config or Machine.config file before you install security update 2638420 to force the old behavior when the update is installed. To do this, follow these steps:
Open either the Web.config file or the Machine.config file by using a text editor such as Notepad.
Add the following text to the file, and then save the file:
<add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
</appSettings>You do not have to restart the computer or any services after you update and then save the Web.config or Machine.config files. The configuration change notification will automatically cycle the application pool.
You can find the Web.config files in the following locations:
.NET Framework versions 4.0 through 4.5
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Web.config .NET Framework versions 2.0 – 3.5 SP1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Web.config On a 32-bit computer, only the Framework folder will exist. On a 64-bit computer, both the Framework and the Framework64 folders will exist. Therefore, if you have both 32-bit and 64-bit application pools running a mix of CLR 2 + CLR 4, you must add the entry to all four of these files.
If you also add the <appSettings> entry to these config files, the change is applied system-wide.
Ticket decryption fails after security update 2638420 is installed
After the new ticket behavior is enabled, all forms authentication tickets that are generated by using the old behavior will be invalidated. When this issue occurs, end-users are logged off, and server administrators may experience ticket decryption failures.
Also, the following error message is logged in the Event log:
Log Name: Application
Event ID: 1315
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
These failures may cause unexpected behavior. For example, "HTTP 401" or "HTTP 302" errors may occur if the webpages are protected by an <authorization> element.
After you install security update 2638420, administrators can expect to see several of these ticket decryption failures because previously generated tickets are expired. The number and frequency of failures should decrease over time as new tickets are generated. If decryption failures continue for a significant period after the security update is installed, this may indicate that some servers in the web farm are still using the old ticket behavior. For example, the issue may occur if either of the following is true:
One or more servers are not updated with security update 2638420.
One or more have the mentioned compatibility switch set. The compatibility switch is described earlier in this article.
The TicketCompatibilityMode configuration switch is no longer supported
Because security update 2638420 changes the format of forms authentication tickets, the <forms/ticketCompatibilityMode> configuration switch is no longer supported if security update 2638420 is installed and enabled.
For more information about the <forms/ticketCompatibilityMode> configuration switch, visit the following MSDN website:
Post a Comment