ASP.NET FormsAuthentication.Authenticate always returns false?
I just bumped into the most peculiar ASP.NET behavior.
I have a very simple ASP.NET web site, which is using Forms authentication, with the usernames and passwords hard-coded into the web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials>
<user name="Overlord" password="f$3ds@1a" />
</credentials>
</forms>
</authentication>
In my site I have a Login.aspx page, which just has an ASP.NET Login control and no code behind it. I’ve tested this page and works fine - I’m able to login, do stuff, and logout.
Then I wanted to add a web service, and I wanted to authenticate the web service call against the entries in the web.config file. Here’s a simple re-creation:
[WebMethod(EnableSession=true)]
public string DoSomething(string username, string password) {
if (!FormsAuthentication.Authenticate(username, password)) {
throw new AuthenticationException();
}
return "Hello world!";
}
For some reason when I passed in the username and password, the FormsAuthentication.Authenticate method always returned false, even though the password was correct, and the exact same combination worked on my Login page.
I searched for a good half-hour trying to find out why it wasn’t working. Then, I tried specifying the passwordFormat inside the credentials section of the web.config file:
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials passwordFormat=”Clear”>
<user name=”Overlord” password=”f$3ds@1a” />
</credentials>
</forms>
</authentication>
Once I did that, everything worked fine!
It seems that FormsAuthentication.Authenticate doesn’t assume a “default” value (Clear) even though the ASP.NET login controls do seem to assume Clear. To me, this seems a little inconsistent, but I’m sure they have their reasons. It’s just something to be aware of when using forms authentication and calling FormsAuthentication.Authenticate.
Maybe my passwords are just so secure it thought they were encrypted? 
Filed under: Uncategorized
I am experiencing the same problem, but I configured the credencials in aspnetdb. I havent solved yet, but tanks for the tip.
FormsAuthentication.Authenticate only works on web.config membership credentials.
Try FormsAuthentication.SetAuthCookie
Great ! Thanks for sharing, Paul.
I was pulling my hairs for hours because of this.
Aaahh… just saw you live in Adelaide. Me too
Dearest Paul,
The FormsAuthentication thing was driving me crazy - it just didn’t want to log in at all.
Thank you for posting this article
The damn thing works now!
-Rowy
very effective to solve
The default for credentials section of config file is a SHA1 hash of the password. This has nothing to do with the controls, but affects how the Authenticate method will Authenticate the password passed to it.
I recommend always using the hash because if an error is thrown while asp.net parses the config file, it may actually reveal the passwords!
It is easy to generate SHA1 hashes with System.Security.SHA1CryptoServiceProvider
Just call the ComputHash() method