How to solve "Key not valid for use in specified state" error when using Azure ACS?

I'm attempting to get OpenID authentication to work in my Azure ASP.NET MVC 3 application and have followed the steps in the MVC 3 Custom Login Sample to do so. Everything works fine in the development environment but not when deployed to the Azure platform.

The first issue started with authentication causing the error "Key not valid for use in specified state". The discussion here states that开发者_开发技巧 the application needs to be configured to use RsaEncryptionCookieTransform instead of DPAPI which is the default. To try and solve this I added the code for OnServiceConfigurationCreated described on Alik Levin's blog but didn't go any further as it describes setting up a self-signed certificate in development (which as mentioned hasn't been necessary), not in Azure.

Instead of that approach, I tried to use the X.509 certificate already in Azure. I found the thumbprint under Windows Azure Management > Access Control Service > Relying Party Applications > (My Application Name) > Token Signing Certificates > Used for Service Namespace (X.509 Certificate). I then added this reference to the web.config:

<serviceCertificate>
    <certificateReference x509FindType="FindByThumbprint" findValue="8A417..." />
</serviceCertificate>

Now I receive a configuration error on application startup:

ID1024: The configuration property value is not valid.
Property name: 'certificateReference'
Error: 'ID1025: Cannot find a unique certificate that matches the criteria.
StoreName: 'My'
StoreLocation: 'LocalMachine'
X509FindType: 'FindByThumbprint'
FindValue: '8A417...''

Do I actually need to change the encryption method to resolve the "Key not valid for use in specified state" error? If so, how can I use the X.509 certificate already in Azure to encrypt cookies?

The certificate you are referring to is the token signing cert used by ACS. You need a cert deployed in your web role so WIF can use it to encrypt the cookies (nothing to do with the token). You will have to add a cert in your Windows Azure deployment. (Service Configuration).

See sample #5 in http://claimsid.codeplex.com

If this is a proof of concept and you want to just run with all defaults. See here: http://msdn.microsoft.com/en-us/library/ff966484.aspx#sec3

You need to set "Load User Profile=true" so DPAPI will work. (This is probably what you have in your local machine).

Eventually I found (again) the article Securing Windows Azure Web Role ASP.NET Web Application Using Access Control Service v2.0. After reconfiguring the web.config and the "Relying Party Applications" section of the ACS Management Portal according to this article, I was able to get everything to work. Specifically I wanted only those controller actions decorated with RequireAuthentication, as shown in the ACS 2.0 sample for this tutorial, to require the user to be logged in. This now works.

The only downside is that the entire app has to run in SSL for the user experience to be seamless. Otherwise the user is prompted for auth when running in HTTP, authenticated, and then dumped back to HTTP apparently not authenticated. However, switching over to the SSL endpoint, the user has been authenticated!

In development fabric this was working as I wanted, Stack Overflow style, where I was able to run everything in standard HTTP without using a certificate and authentication happened over SSL. However because of the RSA cookie requirement in Azure and need for a certificate this won't work in the cloud. (It would be great if dev fabric warned about this and other common gotchas.) I hope to revisit this at some point in the future.

In summary, I recommend you understand Windows Identity Foundation and how it applies to Azure before attempting anything beyond the provided samples. Some resources available at time of writing:

• TechNet Wiki for Azure (specifically articles about ACS and WIF)
• ClaimsID (CodePlex)
• ACS (CodePlex)
• Programming Windows Identity Foundation (book)