WIF- ID1014:签名无效.数据可能已被篡改 [英] WIF- ID1014: The signature is not valid. The data may have been tampered with

问题描述

我一直在使用WIF对我们的新网站进行身份验证，STS是基于starter-sts实现的.

I've been using WIF to authenticate our new website, the STS is based upon the starter-sts implementation.

为了使它能够在负载平衡的环境中正常工作，我在global.asax中使用以下内容来覆盖默认的证书行为.

To enable this to work correctly on out load balanced environment I've used the following in the global.asax to override the default certificate behaviour.

void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
        {
            List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
            { 
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
            });

            SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
        }

这一切都发现了，人们已经成功使用了该系统，但是我们时不时地受到冲击:

This is all working just find and people have been successfully using the system, however every now and then we get a blast of :

ID1014:签名无效.数据可能已被篡改.

在事件日志中，所以我打开了WIF跟踪，并在日志中看到了以下内容.

in the event logs, so I switched on WIF tracing and saw the following mentioned in the log.

ID1074:尝试使用ProtectedData API加密cookie时发生CryptographicException(有关详细信息，请参阅内部异常).如果您使用的是IIS 7.5，则可能是由于应用程序池"上的loadUserProfile设置被设置为false.

我有一种感觉，就像我想的那样，这使我走上了一条黑暗的小巷，因为我将实现更改为使用RSA，这不会影响我.

I have a feeling this is leading me down a dark alley as I thought because I'd changed the implementation to use RSA this shouldn't affect me.

有什么办法可以帮助我吗?

Any ideas to help me?

推荐答案

我更改了实现以修改onkencreated方法中的超时.这样可以防止重新签发.

I changed the implementation to amend the timeout in the ontokencreated method. This prevents the reissue.

protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args)
        {
            args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
                args.SessionToken.ClaimsPrincipal,
                args.SessionToken.Context,
                DateTime.UtcNow,
                DateTime.UtcNow.AddDays(365),
                true
                );
            //base.OnSessionSecurityTokenCreated(args);
        }

这篇关于WIF- ID1014:签名无效.数据可能已被篡改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！