To enable single sign-on for a web application and a web application in a virtual directory, I set the machinekey in both apps to the same:

<machineKey validationKey="xxx" decryptionKey="yy" validation="SHA1" />

The single sign on works just fine, but existing users can't sign in any more; their passwords are rejected. The machinekey used to be this in the parent application:

<machineKey validationKey="xxx,IsolateApps" decryptionKey="yy,IsolateApps" validation="SHA1" />

I tried other ways to make single sign on work, but it just won't as long as the keys contain "IsolateApps". What am I missing?

I should add that the in the membership provider, passwordFormat is set to "Encrypted". So I assume the password was encrypted using the key that contained "IsolateApps" and now when it tries to validate the password it's using the key without the "IsolateApps". Still not sure how to solve that problem. Is there maybe a way that I can set the encryption keys for the password separately from the one that is used for the authentication cookie?