Sunday, October 28, 2007

Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.

If you get this error a couple of times per hour:

Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Event time: 10/7/2007 2:47:36 PM
Event time (UTC): 10/7/2007 12:47:36 PM
Event ID: dc144643e473474d8cdc4ebf37f274ec
Event sequence: 501
Event occurrence: 64
Event detail code: 50202
Application information:
Application domain: /LM/W3SVC/86188572/Root/foo-4-12836d23d585972500
Trust level: Full
Application Virtual Path: /foo
Application Path: e:\foo
Machine name: hostname
Process information:
Process ID: 1324
Process name: w3wp.exe
Request information:
Request URL: *.aspx
Request path: *.aspx
User host address: x.x.x.x
Is authenticated: False
Authentication Type:
Name to authenticate:
Custom event details:

Probably you have the following scenario:
- multiple websites on the same IIS
- some Asp.Net 1.0/1.1 and some 2.0
- generally happens on 1.1 root and 2.0 subdirs

Why it happens?

It's related to forms authentication. If you use ASP.Net forms authentication on some of the websites 1.1 and 2.0, authentication cookie cannot be decrypted.
That is because in older versions they used 3DES and in 2.0 microsoft uses AES(advanced encryption standard - a Rijndael 128 bits version).
Also it happens because active users that are authenticated will submit a request after the application had restarted. On restart, a new set of encryption/decryption keys are created, so 'old' users won't be able to have their auth cookie decrypted on the next request.

Yes, there is a fix, not that nice but you can use it.

Three options.

1. Extend application logout time and insert sliding expiration(sliding increases expiration time of auth cookie as of last request). Make sure session state has same expiration time as your logout time. Also increase your application pool expiration time. AND make sure your web app doesn't crash (so that it triggers a restart and a new set of keys). You'll get less 4005 messages, but still some.

forms loginurl="login.aspx" protection="all" path="/" timeout="60" slidingexpiration="true"

2. Go to machine.config and setup manually the encryption keys. The same procedure applies for managing webfarms and making sure that all clusters use the same cookie authentication decryption. For all framework versions.

3. Set it up independently per application web.config.
You should insert inside "machineKey" section of your web.config 2 keys, "validationKey" and "decryptionKey". Additionally for 2.0 applications, you should also specify the decryption algorithm "3DES". I know some of you will say that "3DES" is less powerfull than AES. But your purpouse here is to avoid migrating .net 1.0/1.1 web applications to 2.0.

I hope you'll get rid of this message.



Selçuk Yazar said...


Thanks for the article, do you have any examples with 2. 3. options.

Thanks in advance.

Selçuk YAZAR

Dallas Developer said...

I have seen the same warning on Production boxes only.

I have checked to find that we already have the machine key settings in place. The changes in forms authentication settings didn't help.

Finally, found that we are making use of Google Geocoding and I had to take the help of our Network Engineers to open the ports for the web service

details of which can be found in

That fixed the issue for me.

Dallas Developer