Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution)

When you turn on web garden (multiple process per application
pool) or go into multi server load balance deployment where servers
are serving the same website, you will have Forms Authentication
problem. Users will get automatically logged out or see the Yellow
screen of death (ASP.NET error page) frequently. This happens
because ASP.NET encrypts the login information in cookie. But the
encryption key is unique for each machine and for each process. So,
if one user hits Server #1 and gets an ecnrypted key, and then the
next hit goes to Server #2, it will fail to decrypt the cookie and
log user out or throw user the asp.net general error message.

In order to prevent this on your production server, you need to
remember this before you go live:

The reasons for a forms auth ticket failing are normally that
either the validation key or the decryption key are not in sync
across all servers in a web farm. Another potential reason can be
if both ASP.NET 1.1 and ASP.NET 2.0 applications are issuing forms
auth tickets with the same domain and path.

For the first case, setting the validationKey and decryptionKey
attributes explicitly on on each web server
will solve the problem.

For the second case, setting the validationKey and decryptionKey
attributes explicitly in for *both* the
ASP.NET 1.1 and ASP.NET 2.0 applications is necessary. Additionally
on the ASP.NET 2.0 apps, the “decryption” attribute in
should be set to “3DES”.

This is what I learned from Stephan Schackow (Microsoft Atlas
team). Here’s how the machine.config should look like:

< system .web > < processModel autoConfig =”true” /> < machineKey validationKey =”…” decryptionKey =”…” validation =”SHA1″ />

is the node that you need to introduce inside
the node if it does not exist.

Catch No 1:

How do you generate the machine key? You need to use a utility
to produce the key for your PC. I have made a .exe which can
generate such keys for you. Here’s how you run it:

SecurityKey.exe 24 64

Download
here

It takes two parameters and these are the exact values you have
to provide.

For super cautious IT guys like me, don’t worry, it’s a .NET 2.0
binary, no virus. Test the strength of your anti-virus software on
this .exe if you like. If it can’t find any virus then either I’m
smarter than you and have hidden a virus successfully or there’s no
virus at all and I am not that smart as I sound like.

Catch No 2:

You have put the machine keys in both machine. Restarted IIS.
Even restarted your server. But you still see lots of Event Log
error entries which shows users are still getting the dreaded
“Forms authentication failed for the request. Reason: The ticket
supplied was invalid”. So, what did you do wrong? You call
Microsoft support. Go to Forums and make post. Everyone says what
you did is correct.

Here’s what you need to do: wait. Wait for 2 or 3 days until all
those users come back to your website at least once. Those users
will have cookie encrypted with previously assigned encryption key
pair. Naturally, it will fail to decrypt with the new key pair you
have just specified in machine.config. So, until all those users
get a new key, you will keep on having the error message. Don’t be
alarmed if you see this even after one week or month. This just
means some user visited you after a long time and you are not doing
much good in attracting users to your site. So, if you see such
event log entries after a week or two, call you marketing team and
ask what kind of marketing they are doing.

It would be really good if there was something like “Checklist
for Going Live with ASP.NET” which stated all these issues.

15 thoughts on “Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution)”

  1. Thanks, but the exe doesn’t work.

    “unhandled exception: System.IndexOutOfRangeException: Index was outside the bounds of the array at Crypto.KeyCreator.Main(String[] args)”

  2. Chris:

    Thanks, but the exe doesn’t work.

    “unhandled exception: System.IndexOutOfRangeException: Index was outside the bounds of the array at Crypto.KeyCreator.Main(String[] args)”

    —-

    Try supplying the arguments to the program of: 24 64

    You will find that it works fantastically fine.

  3. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    Du musst ein Fachmann sein – wirklich guter Aufstellungsort, den du hast!

  4. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    thanks for that,

    I have another question, here it goes:

    My application runs on .Net 2.0 framework and is intalled in three different boxes on a web farm with windows authentication,

    The data posted to any of three servers is along with veiwstate and the validation key is Autogenerate,Isolateapps.

    Whats is your opinion, Do i need to update my validation/decription key with machine key generated??

  5. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    If you are running same application in multiple process or server, you need to have the same machinekey and validationkey. Otherwise encrypted data from one process/server will not get decrypted when another process/server receives it.

  6. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    I’m seeing the same message in the eventlog, however I’m not using a webfarm scenario.

    I haven’t quite figured it out. I’m guessing my application crashes, which causes new request (with previously encrypted tickets) are validated against different validation- and decryption keys (probably autogenerated on app restart). Sad thing is that my eventlog does not mention app crashes (or recycles), and because of the crash, my logging-features don’t get a chance to log the reason…

  7. Goodspeed’s Blog » Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    Pingback from Goodspeed’s Blog » Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution)

  8. What if protection is None i.e. no encryption configured in forms authentication ?

  9. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    Hello!

    I have my asp.net website hosted in webHoster company, and I'm receiving this error too…

    I don't understand why me and some users can navigate in my webpage and some other users receive this error!

    “Forms authentication failed for the request. Reason: The ticket supplied was invalid”

    I already have a machine Key applied in my webconfig!

  10. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    I too am receiveing this error message in my event log. I am not using a webfarm or multiple servers

  11. re: Forms authentication failed for the request. Reason: The ticket supplied was invalid. (Solution) says:

    Thanks Omar.

    All our applications were .NET 1.1, when we started experiencing this problem when we moved a few of them to .NET 2.0 and keep the decryption using SHA1. Now that I switched to 3DES on the .NET ones, the invalid ticket error seems to have stopped.

    Many thanks!!!

  12. i’m not understanding this issue. i’m a developer and i need to hit a web page i’m developing locally using localhost. i,e localhost/Website/Default.aspx.

    When I try to login, i get kicked back to the login page and the invalid error message gets logged.

    I have the machine key defined in the web config of my top level web site (i.e root directory of my web site in IIS) but not in the machine config. I have the processModel defined in the machine config.

    I’m running windows server 2003 and just ran a backlog of windows updates which initiated this behaviour and i can’t seem to resolve this.

    can anyone offer some insight or advice?
    regards

  13. You’re right, just wait, or use a different computer. I couldn’t figure out why the thing would authenticate, kept getting “Reason: The ticket supplied was invalid.” And I knew I shouldn’t be getting it. Went home, tried it from there, worked straight away. Next time I’ll try clearing cookies!

Leave a Reply