20

My event log is flooded with this message:

Forms authentication failed for the request. Reason: The ticket supplied has expired.

I think this happens when people timeout instead of logout.

First of all , this is not an error, it's Type: Information

I don't want this information, how do I stop ASP.NET from logging it?

My application is not web-farmed, and uses a static machine key.

Max Toro
  • 28,282
  • 11
  • 76
  • 114
  • 1
    Good answer from Aristos, but before blocking this I would do a little investigation to make sure that the ticket is not expiring in some non-normal way. Certain situations with auto generated machine-keys (which are used for auth ticket encryption) can cause problems: see http://msdn.microsoft.com/en-us/library/ms998288.aspx – UpTheCreek Apr 26 '10 at 11:54
  • @Sosh I totally agree - in fact I must say, that I catch and log all my errors and never hide an error/information - Also I like to notice that even if I have too much users in 3 different site I have never see this error. So its maybe a hacking attack and maybe its need to locate the ip coming from, or what ever to block it out. – Aristos Apr 27 '10 at 06:48
  • The same problem, with slightly different desired outcomes, also appears as the question [ASP.NET Forms Authentication failed for the request. Reason: The ticket supplied has expired](http://stackoverflow.com/questions/5266578/asp-net-forms-authentication-failed-for-the-request-reason-the-ticket-supplied) and [Error 4005 Forms authentication failed - ticket supplied has expired](http://stackoverflow.com/questions/284709/error-4005-forms-authentication-failed-ticket-supplied-has-expired?rq=1) – Owen Blacker Mar 10 '14 at 11:47

2 Answers2

18

Here's the solution:

<?xml version="1.0"?>
<configuration>
   <system.web>
      <healthMonitoring>
         <rules>
            <remove name="Failure Audits Default" />
         </rules>
      </healthMonitoring>
   </system.web>
</configuration>

Note that this will prevent the logging off all System.Web.Management.WebFailureAuditEvent events, which covers the event range 4005-4011. There is probably a way to just remove 4005, but this solution is good enough for me.

These are the links that helped me:

Max Toro
  • 28,282
  • 11
  • 76
  • 114
  • 1
    +1 i am tempted to undelete my answer just to make your answer look even better, but umm.. no. ;-) – Sky Sanders Apr 27 '10 at 20:06
  • 1
    @Max finally yes this is one way, but you delete and remove all events this way and not only the one you ask for. – Aristos Apr 27 '10 at 20:45
  • @Aristos: Not all events, only the 4005-4011 range, which are all related to authentication/authorization failures. There is a way add the 4006-4011 range back also using configuration. I understand this is not the exact answer I was looking for, but it points in the right direction, which is configuration. – Max Toro Apr 28 '10 at 02:26
9

Adding to Max Toro's solution and for the curious, this seems to be the way one would add back 4006 to 4011:

<healthMonitoring enabled="true">

  <providers>
    <add name="EventLogProvider" type="System.Web.Management.EventLogWebEventProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"/>
  </providers>

  <eventMappings>
    <!-- Event Mappings for 0-4004 and 4006 to infinite, skipping 4005, see last attribute of these entries -->
    <add name="Failure Audits 1" type="System.Web.Management.WebFailureAuditEvent,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" startEventCode="0" endEventCode="4004"/>
    <add name="Failure Audits 2" type="System.Web.Management.WebFailureAuditEvent,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" startEventCode="4006" endEventCode="2147483647"/>
  </eventMappings>

  <rules>
    <!-- REMOVE ITEMS NOTED BY MAX -->
    <remove name="Failure Audits Default"/>     
    <!-- ADD Back 4006 to 4011 with these two entries, skipping over 4005 -->
    <add name="Failure Audits Default 1" eventName="Failure Audits 1" provider="EventLogProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:01:00" custom=""/>
    <add name="Failure Audits Default 2" eventName="Failure Audits 2" provider="EventLogProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:01:00" custom=""/>
  </rules>

</healthMonitoring>

Seems to work for me.

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
Moe Howard
  • 498
  • 7
  • 12