January 19, 2012 8:25am
Forms Authentication, the Event Viewer and Event Code 4005

Recently we deployed our application using Forms Authentication and after a few days of use we discovered that our Event Viewer is littered with Informational messages relating to 4005.

Event code: 4005 

Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.

Event time: 1/19/2012 7:16:33 AM

Event time (UTC): 1/19/2012 12:16:33 PM

Event ID: 3446144ae1ee46efadd90542175e24fc

Event sequence: 48901 

Event occurrence: 1452 

Event detail code: 50202 

Application information:

Application domain: /LM/W3SVC/1/ROOT-1-129713452236000000 

Trust level: Full

Application Virtual Path: /

Application Path: E:\MobileBanking\Version 1.0.0.0\

Machine name: M1CUONLINE01 

Process information:

Process ID: 1348 

Process name: w3wp.exe

Account name: IIS APPPOOL\MobileBanking

Request information:

Request URL: https://mobile.members1st.org:443/account/logon

Request path: /account/logon

User host address: 166.248.33.121 

User:

Is authenticated: False

Authentication Type:

Thread account name: IIS APPPOOL\MobileBanking

Name to authenticate:

Custom event details:

After a bit of research this error occurs when your users authenticates to your site and then attempts to request a resource after their cookie has expired.  (this also assumes you are on a single server configuration, if not you might be experiencing an issue with machinekeys)

If you wish to suppress these informational messages you can alter your web.config to the following which simply removes the rule for 4005

<healthMonitoring enabled="true">
  <eventMappings>
    <!-- Event Mappings for 0-4004 and 4006 to infinite, skipping 4005, see last attribute of these entries -->
    <add name="Failure Audits 1" type="System.Web.Management.WebFailureAuditEvent,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" startEventCode="0" endEventCode="4004"/>
    <add name="Failure Audits 2" type="System.Web.Management.WebFailureAuditEvent,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" startEventCode="4006" endEventCode="2147483647"/>
  </eventMappings>
  <rules>
    <!-- REMOVE ITEMS NOTED BY MAX -->
    <remove name="Failure Audits Default"/>
    <!-- ADD Back 4006 to 4011 with these two entries, skipping over 4005 -->
    <add name="Failure Audits Default 1" eventName="Failure Audits 1" provider="EventLogProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:01:00" custom=""/>
    <add name="Failure Audits Default 2" eventName="Failure Audits 2" provider="EventLogProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:01:00" custom=""/>
  </rules>
</healthMonitoring>

This was obtained from this answer on stackoverflow and more information on the configuration can be found on msdn about the healthMonitoring Element.

URL: http://tmblr.co/ZZOaJyF0T5_H
(View comments
(Notes: 1)
  
Filed under: asp.net formsauthentication eventviewer web.config 
  1. markcoleman posted this
Blog comments powered by Disqus