Skip to main content

Forms Based Authentication Login Loop


Users are not able to log in to Forms Based Authentication enabled web application. After providing username and password (or whatever method of authentication is defined) and proceeding with Login, the user is presented with the login screen again therefore unable to log on.

This was verified using multiple browsers and experienced by multiple users on different machines.


Forms Authentication Token is considered "invalid" upon receipt on the FBA applications

  1. Review the Application Event log of the application host for "invalid" token responses.

  2. Using command "Javascript:Document.cookie" verify an Authentication Token was generated and received by the client browser.


Common causes for this type of behavior:

Incorrect Clock Time / Timezone:

The Operating System time was within the normal tolerance. The time was sync'd to within 5 seconds between the SecureAuth appliance and the Application host server.

Cookie (DNS) Domain mismatches:

Verify no changes have been made to the architecture of the application. The URLs presented in the browsers should be reviewed and confirmed accurate.

Forms Authentication Key mismatch between applications:

The forms auth token shared secret configured in the web.config files or within the WebAdmin were verified as matching on both the SecureAuth appliance and the Application host.

ASP.NET Encryption level mismatches:

There have been several .NET Framework patches released over the past year. MS 10-070 and MS11-100 are two specific patches which change the method of encryption used by the framework and forms authentication. We attempted to compare the patch level of the SecureAuth appliance and the application host, but were unable to be 100 percent certain the patch levels were matching. As a possible work around we attempted to enabled the use of Legacy Encryption as defined in this Microsoft Technet Article however this did not have the desired affect.

General Operating System patching mismatches:

Attempt best effort to compare the patch level of the SecureAuth appliance and the application host.