Strange error with WIF RTM, occurs after reset IIS

Question

I am hosting my web application on windows server 2008 with IIS 7.5, I have 2 web applications: 1. the first one is the core sso (Single Sign-on) service with a login page. 2. another web application is hosted on the same web server which use the first app for sso.

I am using the WIF RTM to implementation the sso,

usually, it is running good without any problem, the user can login throw the sso and redirect back the start page. but when I login throw the sso first, then restart the IIS, if I come back to the second application and refresh the page, I got the following error:

Server Error in '/' Application. Key not valid for use in specified state. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: Key not valid for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +425
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +59

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ] Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +151
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +109
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +634
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +239
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +59
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +52
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

________________________________________ Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

the user session are stored by using SQLServer session mode, I am using a special database for this.

I have tried a lot and I cannot re-procedure this problem on my local computer (Windows7). did anyone have similar experience? can you tell me how to solve this problem?

Answer 1

This could well be because your application pool user has no persistent user profile. To rectify this you can just run something as that user:

runas /user:<domain>\<user> cmd

And this will create the profile. Subsequently the data should be decryptable after restarting IIS.

Answer 2

I finally solve this problem by change the application pool user to a local user. the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).

Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.

Thanks all you guys and I am so glad to share my solution with you.

Answer 3

There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5

If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.

So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.