I am implementing a single sign-on system in ASP.Net. The technique I am
using is as defined by Paul Sheriff, in the MSDN article Single Sign-On
Enterprise Security for Web Applications.

[url]http://msdn.microsoft.com/asp.net/using/understanding/security/default.aspx?pull=/library/en-us/dnaspp/html/singlesignon.asp[/url]

I am running into a problem with the Forms Authentication on the internal
web site side. The article provides for the Internal Website (i.e. that one
called by a launcher app) to be secured using Forms Authentication, where
internal users connect to an AppLogin.aspx page, passing a security token,
generated by a launching application. The token is checked on the
AppLogin.aspx Page_Load.

My problem is I never get to the AppLogin.aspx Page_Load because I have not
authenticated. Instead I get to Login.aspx which is the loginUrl defined in
my Webconfig...

<authentication mode="Forms">
<forms name="SignOnTest" loginUrl="Login.aspx" />
</authentication>

The download sample for the article does not work properly as the webconfig
there has...

<authorization>
<allow users="*" />
</authorization>

which I believe negates the Forms Authentication.

My webconfig has this...

<authorization>
<deny users="?" />
</authorization>


If I change that the download behaves as my code does, and never gets to the
page that checks the security token passed by the launching app.

Does anybody have any ideas; I must be missing something obvious.

Much appreciated,

Justin