Deployment guidance for security update 2638420, as described in MS11-100

Security update 2638420 (described in security bulletin MS11-100) changes the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, if you use applications that use forms authentication, you must take specific steps when you deploy security update 2638420 to make sure that all servers use the new behavior concurrently.

Deployment guidance

Because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy security update 2638420 to make sure that all servers switch to the new behavior concurrently.

To determine whether your application uses forms authentication, examine the System.web file. Applications that use forms authentication use the following entry in System.web file: Notes

• The default authentication mode is "Windows."
• ASP.NET only uses forms authentication if it is explicitly configured to do so.

If you use applications that use forms authentication, you must deploy security update 2638420 by using one of the following methods to make sure that your websites continue to work correctly.

Method 1
Deploy security update 2638420 to all active servers in your ASP.NET web farm at the same time. To do this, follow these steps:

1. Remove half of the servers in the web farm from the load balancer rotation.
2. Install the update on those servers.
3. Add the servers back into the rotation while concurrently taking the remaining servers offline to be updated.

Method 2
If you cannot deploy security update 2638420 to all the servers in your web farm concurrently, use this method instead.

Note We do not recommend this method. When you set this switch, you can install the security update on some servers in the web farm and continue to function by using the old behavior. However, servers that use this configuration switch will be in a nonsecure state, and will not benefit from all the fixes in the security update. Therefore, the configuration switch should be removed to enable the new secure behavior as soon as security update 2638420 is deployed to all the servers in the web farm.

Set a compatibility switch in the Web.config or Machine.config file before you install security update 2638420 to force the old behavior when the update is installed. To do this, follow these steps:

1. Open either the Web.config file or the Machine.config file by using a text editor such as Notepad.
2. Add the following text to the file, and then save the file:
   
   <appSettings>
   <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
   </appSettings>
   You do not have to restart the computer or any services after you update and then save the Web.config or Machine.config files. The configuration change notification will automatically cycle the application pool.

You can find the Web.config files in the following locations:

.NET Framework versions 4.0 through 4.5
.NET Framework versions 2.0 – 3.5 SP1
On a 32-bit computer, only the Framework folder will exist. On a 64-bit computer, both the Framework and the Framework64 folders will exist. Therefore, if you have both 32-bit and 64-bit application pools running a mix of CLR 2 + CLR 4, you must add the entry to all four of these files.

If you also add the <appSettings> entry to these config files, the change is applied system-wide.