WIF to a separate domain via AJAX

Question

We have sites running in two separate domains, one is a secured API the other is a frontend website. We want to be able to do an ajax request from the website to the API using the currently logged in users credentials.

To do this I did all the necessary CORS bits to be able to pass our cookie to the API, however when the API tries to process the cookie it cant decrypt it. My understanding is that this is because the realm doesn't match correctly.

The error I get when I try and do this is as follows:

InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

If I manually make the same request with a cookie with the :1444 realm everything works correctly (so I think the loadUserProfile stuff is a red herring).

I think the issue is that I cant reuse this cookie for another realm. but if this is the case how can I perform this delegation in javascript? Is it actually even possible without actually redirecting the user to STS to get a cookie for the other realm? Is there a better way to approach this javascript delegation?

Useful Supporting data:

The configuration of WIF for our API end:

    <modules runAllManagedModulesForAllRequests="true">
        <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
        <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>

...

<microsoft.identityModel>
    <service>
        <securityTokenHandlers>
            <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                <sessionTokenRequirement lifetime="1:00" />
            </add>
        </securityTokenHandlers>
        <audienceUris>
            <add value="http://localhost:1444/" />
        </audienceUris>
        <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1444/" requireHttps="false" persistentCookiesOnPassiveRedirects="false" />
            <cookieHandler requireSsl="false" path="/" name="TheCookieMonster" persistentSessionLifetime="60" />
        </federatedAuthentication>
        <applicationService>
            <claimTypeRequired>
                <!--This claim gets mapped to the User.Identity.Name-->
                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />
                <!--Some Other Custom claims-->
            </claimTypeRequired>
        </applicationService>
        <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
                <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" />
            </trustedIssuers>
        </issuerNameRegistry>
    </service>
</microsoft.identityModel>

The config of WIF at the website end:

(Same but with :1337)

    <modules runAllManagedModulesForAllRequests="true">
        <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
        <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>

...

<microsoft.identityModel>
    <service>
        <securityTokenHandlers>
            <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                <sessionTokenRequirement lifetime="1:00" />
            </add>
        </securityTokenHandlers>
        <audienceUris>
            <add value="http://localhost:1337/" />
        </audienceUris>
        <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1337/" requireHttps="false" persistentCookiesOnPassiveRedirects="false" />
            <cookieHandler requireSsl="false" path="/" name="TheCookieMonster" persistentSessionLifetime="60" />
        </federatedAuthentication>
        <applicationService>
            <claimTypeRequired>
                <!--This claim gets mapped to the User.Identity.Name-->
                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />
                <!--Some Custom claims-->
            </claimTypeRequired>
        </applicationService>
        <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
                <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" />
            </trustedIssuers>
        </issuerNameRegistry>
    </service>
</microsoft.identityModel>

What the net tab looks like:

I think this is cancelled as JS has detected some kind of security nonsense going on.

• Machine key is shared across both sites
• Both are running WIF 3.5

Answer 1

We did manage to sort this out by upgrading to WIF 4.5 which worked perfectly with no special modifications. I'm not too sure what the root cause in 3.5 was but this has closed the issue off for me. If someone wants it I can post a sample with this working to GitHub