Hi,

I've seen several similar scenarios explained here but not my particular one. I wonder if someone could tell me which direction to go in?

I am developing two (and more later) MVC2 apps. There will also be another (thicker) client later on (WPF or Silverlight, TBD). These all need to share the same authentication. For the MVC2 apps they (preferably) need to be single log on - ie if a user logs in to one MVC2 app, they should be authorised on the other, as long as the cookie hasn't timed out.

Forms authentication is to be used.

All the apps need to use common business functionality and perform db access via a common WCF Service App. It would be nice (I think) if the WCF is not publicly accessible (ie blocked behind FW). The thicker client could use an additional service layer to access the Common WCF App.

What this should look like is:

MVCApp1 -> WCFAppCommon

MVCApp2 -> WCFAppCommon

ThickClient -> WCFApp2 -> WCFAppCommon

Is it possible to carry out all the authentication/authorization in the WCFAppCommon? Otherwise I think I'll have to repeat all the security logic in the MVCApps and WCFApp2, whereas, to me, it seems to sit naturally in WCFAppCommon. On the otherhand, it seems if I authenticate/authorize in WCFAppCommon, I wouldn't be able to use Forms Authentication.

Where I've seen possible solutions (that I haven't tried yet) they seem much more complex than Forms Authentication and a single DB.

Any help appreciated,

Phil