Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Deployment guidance for security update 2638420, as described in MS11-100
Article ID: 2659968 - View products that this article applies to.
Security update 2638420 (described in security bulletin MS11-100) changes the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, if you use applications that use forms authentication, you must take specific steps when you deploy security update 2638420 to make sure that all servers use the new behavior concurrently.
Deployment guidanceBecause of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy security update 2638420 to make sure that all servers switch to the new behavior concurrently.
To determine whether your application uses forms authentication, examine the System.web file. Applications that use forms authentication use the following entry in System.web file:
Deploy security update 2638420 to all active servers in your ASP.NET web farm at the same time. To do this, follow these steps:
If you cannot deploy security update 2638420 to all the servers in your web farm concurrently, use this method instead.
Note We do not recommend this method. When you set this switch, you can install the security update on some servers in the web farm and continue to function by using the old behavior. However, servers that use this configuration switch will be in a nonsecure state, and will not benefit from all the fixes in the security update. Therefore, the configuration switch should be removed to enable the new secure behavior as soon as security update 2638420 is deployed to all the servers in the web farm.
Set a compatibility switch in the Web.config or Machine.config file before you install security update 2638420 to force the old behavior when the update is installed. To do this, follow these steps:
.NET Framework versions 4.0 through 4.5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Web.config.NET Framework versions 2.0 – 3.5 SP1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.configOn a 32-bit computer, only the Framework folder will exist. On a 64-bit computer, both the Framework and the Framework64 folders will exist. Therefore, if you have both 32-bit and 64-bit application pools running a mix of CLR 2 + CLR 4, you must add the entry to all four of these files.
If you also add the <appSettings> entry to these config files, the change is applied system-wide.
The TicketCompatibilityMode configuration switch is no longer supported
Because security update 2638420 changes the format of forms authentication tickets, the <forms/ticketCompatibilityMode> configuration switch is no longer supported if security update 2638420 is installed and enabled.
For more information about the <forms/ticketCompatibilityMode> configuration switch, visit the following MSDN website:
General information about the <forms/ticketCompatibilityMode> configuration switch
Article ID: 2659968 - Last Review: December 29, 2011 - Revision: 1.0