If you get this error a couple of times per hour:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Event time: 10/7/2007 2:47:36 PM
Event time (UTC): 10/7/2007 12:47:36 PM
Event ID: dc144643e473474d8cdc4ebf37f274ec
Event sequence: 501
Event occurrence: 64
Event detail code: 50202
Application domain: /LM/W3SVC/86188572/Root/foo-4-12836d23d585972500
Trust level: Full
Application Virtual Path: /foo
Application Path: e:\foo
Machine name: hostname
Process ID: 1324
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request URL: *.aspx
Request path: *.aspx
User host address: x.x.x.x
Is authenticated: False
Thread account name: NT AUTHORITY\NETWORK SERVICE
Name to authenticate:
Custom event details:
Probably you have the following scenario:
- multiple websites on the same IIS
- some Asp.Net 1.0/1.1 and some 2.0
- generally happens on 1.1 root and 2.0 subdirs
Why it happens?
It's related to forms authentication. If you use ASP.Net forms authentication on some of the websites 1.1 and 2.0, authentication cookie cannot be decrypted.
That is because in older versions they used 3DES and in 2.0 microsoft uses AES(advanced encryption standard - a Rijndael 128 bits version).
Also it happens because active users that are authenticated will submit a request after the application had restarted. On restart, a new set of encryption/decryption keys are created, so 'old' users won't be able to have their auth cookie decrypted on the next request.
Yes, there is a fix, not that nice but you can use it.
1. Extend application logout time and insert sliding expiration(sliding increases expiration time of auth cookie as of last request). Make sure session state has same expiration time as your logout time. Also increase your application pool expiration time. AND make sure your web app doesn't crash (so that it triggers a restart and a new set of keys). You'll get less 4005 messages, but still some.
forms loginurl="login.aspx" protection="all" path="/" timeout="60" slidingexpiration="true"
2. Go to machine.config and setup manually the encryption keys. The same procedure applies for managing webfarms and making sure that all clusters use the same cookie authentication decryption. For all framework versions.
3. Set it up independently per application web.config.
You should insert inside "machineKey" section of your web.config 2 keys, "validationKey" and "decryptionKey". Additionally for 2.0 applications, you should also specify the decryption algorithm "3DES". I know some of you will say that "3DES" is less powerfull than AES. But your purpouse here is to avoid migrating .net 1.0/1.1 web applications to 2.0.
I hope you'll get rid of this message.