Strange error with WIF RTM, occurs after reset IIS
I am hosting my web application on windows server 2008 with IIS 7.5, I have 2 web applications: 1. the first one is the core sso (Single Sign-on) service with a login page. 2. another web application is hosted on the same web server which use the first app for sso.
I am using the WIF RTM to implementation the sso,
usually, it is running good without any problem, the user can login throw the sso and redirect back the start page. but when I login throw the sso first, then restart the IIS, if I come back to the second application and refresh the page, I got the following error:
Server Error in '/' Application. Key not valid for use in specified state. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +425 Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +59[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ] Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +151
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +109 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +634 Microsoft.IdentityModel.Tokens.Ses开发者_开发技巧sionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +105 Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +239 Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +59 Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +52 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75________________________________________ Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927
the user session are stored by using SQLServer session mode, I am using a special database for this.
I have tried a lot and I cannot re-procedure this problem on my local computer (Windows7). did anyone have similar experience? can you tell me how to solve this problem?
I finally solve this problem by change the application pool user to a local user. the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).
Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.
Thanks all you guys and I am so glad to share my solution with you.
There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5
If you have urls http://ourdomain.com/app1
and http://ourdomain.com/app2
you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.
So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/
and http://app2domain.com/
.
This could well be because your application pool user has no persistent user profile. To rectify this you can just run something as that user:
runas /user:<domain>\<user> cmd
And this will create the profile. Subsequently the data should be decryptable after restarting IIS.
精彩评论