Deployment guidance for security update 2638420, as described in MS11-100

Article translations Article translations
Article ID: 2659968 - View products that this article applies to.
Expand all | Collapse all

On This Page

Summary

Security update 2638420 (described in security bulletin MS11-100) changes the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, if you use applications that use forms authentication, you must take specific steps when you deploy security update 2638420 to make sure that all servers use the new behavior concurrently.

Deployment guidance

Because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy security update 2638420 to make sure that all servers switch to the new behavior concurrently.

To determine whether your application uses forms authentication, examine the System.web file. Applications that use forms authentication use the following entry in System.web file:
<authentication mode="Forms">
Notes
  • The default authentication mode is "Windows."
  • ASP.NET only uses forms authentication if it is explicitly configured to do so.
If you use applications that use forms authentication, you must deploy security update 2638420 by using one of the following methods to make sure that your websites continue to work correctly.

Method 1
Deploy security update 2638420 to all active servers in your ASP.NET web farm at the same time. To do this, follow these steps:
  1. Remove half of the servers in the web farm from the load balancer rotation.
  2. Install the update on those servers.
  3. Add the servers back into the rotation while concurrently taking the remaining servers offline to be updated.
Method 2
If you cannot deploy security update 2638420 to all the servers in your web farm concurrently, use this method instead.

Note We do not recommend this method. When you set this switch, you can install the security update on some servers in the web farm and continue to function by using the old behavior. However, servers that use this configuration switch will be in a nonsecure state, and will not benefit from all the fixes in the security update. Therefore, the configuration switch should be removed to enable the new secure behavior as soon as security update 2638420 is deployed to all the servers in the web farm.

Set a compatibility switch in the Web.config or Machine.config file before you install security update 2638420 to force the old behavior when the update is installed. To do this, follow these steps:
  1. Open either the Web.config file or the Machine.config file by using a text editor such as Notepad.
  2. Add the following text to the file, and then save the file:
    <appSettings>
    <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
    </appSettings>
    You do not have to restart the computer or any services after you update and then save the Web.config or Machine.config files. The configuration change notification will automatically cycle the application pool.
You can find the Web.config files in the following locations:

.NET Framework versions 4.0 through 4.5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Web.config
.NET Framework versions 2.0 – 3.5 SP1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Web.config
On a 32-bit computer, only the Framework folder will exist. On a 64-bit computer, both the Framework and the Framework64 folders will exist. Therefore, if you have both 32-bit and 64-bit application pools running a mix of CLR 2 + CLR 4, you must add the entry to all four of these files.

If you also add the <appSettings> entry to these config files, the change is applied system-wide.

Known issues

  • Ticket decryption fails after security update 2638420 is installed

    After the new ticket behavior is enabled, all forms authentication tickets that are generated by using the old behavior will be invalidated. When this issue occurs, end-users are logged off, and server administrators may experience ticket decryption failures.

    Also, the following error message is logged in the Event log:

    Log Name: Application
    Event ID: 1315
    Event code: 4005
    Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

    These failures may cause unexpected behavior. For example, "HTTP 401" or "HTTP 302" errors may occur if the webpages are protected by an <authorization> element.

    After you install security update 2638420, administrators can expect to see several of these ticket decryption failures because previously generated tickets are expired. The number and frequency of failures should decrease over time as new tickets are generated. If decryption failures continue for a significant period after the security update is installed, this may indicate that some servers in the web farm are still using the old ticket behavior. For example, the issue may occur if either of the following is true:
    • One or more servers are not updated with security update 2638420.
    • One or more have the mentioned compatibility switch set. The compatibility switch is described earlier in this article.

MORE INFORMATION

The TicketCompatibilityMode configuration switch is no longer supported

Because security update 2638420 changes the format of forms authentication tickets, the <forms/ticketCompatibilityMode> configuration switch is no longer supported if security update 2638420 is installed and enabled.

For more information about the <forms/ticketCompatibilityMode> configuration switch, visit the following MSDN website:
General information about the <forms/ticketCompatibilityMode> configuration switch

Properties

Article ID: 2659968 - Last Review: December 29, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 2.0 Service Pack 1 (x86)
  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.0
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
atdownload kbbug kbExpertiseInter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB2659968

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com