Reputation: 167
Why do I receive "CryptographicException: Key not valid for use in specified state." after changing app pool user using wsfederation?
I have an inherited STS server that is running .net 4.7.2 using system.identitymodel wsfederation to issue tokens based on the principal, and saves them as a cookie using the SessionAuthenticationModule.
Both the STS and relying party are running on IIS 10 on server 2016. All works fine until I change the identity running the app pool of the relying party, I get the error:
[CryptographicException: Key not valid for use in specified state.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +470
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +48
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +358
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +191
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +824
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +86
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +567
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +158
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +223
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +220
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +94
It appears the RP cannot decrypt the cookie, but why is it paired to the identity running the app pool? I have added the new identity as an admin on the server to ensure it isn't permission related. Is it a requirement that the STS and all relying parties run as the same user?
Upvotes: 1
Views: 342
Answers (1)
Reputation: 167
I was using the SessionSecurityTokenHandler to manage the cookie, which I believe is default. This handler ultimately uses the CryptProtectData method, which in the documentation states
The CryptUnprotectData function decrypts and does an integrity check of the data in a DATA_BLOB structure. Usually, the only user who can decrypt the data is a user with the same logon credentials as the user who encrypted the data. In addition, the encryption and decryption must be done on the same computer.
I believe we could have switched to a MachineKeySessionSecurityTokenHandler but I would have had to reconfigure all relying parties.
Upvotes: 0
Related Questions
- ASP.Net Application which uses SQLProvider and MemberShip Fails to connect to DB when using Azure Managed Identity
- CryptographicException: Key not valid for use in specified state
- CryptographicException "Key not valid for use in specified state." while trying to export RSAParameters of a X509 private key
- Microsoft planner API returns HTTP 500
- WIF Key not valid for use in specified state
- WIF to a separate domain via AJAX
- WIF- ID1014: The signature is not valid. The data may have been tampered with
- Windows Identity Foundation System.Xml.XmlException: Unexpected end of file