SessionSecurityTokenHandler尝试使用DPAPI解密SessionSecurityToken在RSA加密的cookie;为什么？ [英] SessionSecurityTokenHandler trying to decrypt SessionSecurityToken in RSA-encrypted cookie using DPAPI; why?

问题描述

我在MSDN论坛阅读，多米尼克拜尔的博客，以及其他来源的DPAPI将无法工作超出了在Azure中框，一个方法在任何类型的Web场场景的处理联合身份验证来取代该DPAPI转换使用X509证书使用整个农场，可用私钥如RSA加密之一。我采取这种做法在我的Azure MVC应用程序和配置的 SessionSecurityTokenHandler 是这样的：

I have read in MSDN forums, Dominic Baier's blog, and in other sources that DPAPI will not work out-of-the box in Azure, and that one approach to handling federated authentication in any kind of web farm scenario is to replace the DPAPI transforms with one that uses a private key available across the farm, such as RSA encryption using an X509 certificate. I have taken this approach in my Azure MVC application and configured the SessionSecurityTokenHandler like this:

FederatedAuthentication.ServiceConfigurationCreated += (sender, args) =>
    {
        var sessionTransforms = new List<CookieTransform>(new CookieTransform[]
            {
                new DeflateCookieTransform(),
                new RsaEncryptionCookieTransform(args.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(args.ServiceConfiguration.ServiceCertificate)
            });
        var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
        args.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);                    
    };

使用这个配置，我们可以从身份提供者接收令牌并发出使用这些变换加密的安全区。在Azure的模拟器中运行，一切正常。然而，在Azure的环境下，我们断断续续看到下面的错误在浏览器中：

Using this configuration, we are able to receive tokens from an identity provider and issue secure cookies encrypted using these transforms. Running in the Azure emulator, everything works as expected. However, in the Azure environment, we intermittently see the following error in the browser:

Key not valid for use in specified state.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.


Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 


[CryptographicException: Key not valid for use in specified state.
]
   System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +577
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +80

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +433
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +862
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +109
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +356
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +123
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

这似乎表明，在 SessionSecurityTokenHandler 正在尝试使用解密DPAPI cookie的，但是为什么呢？我不是将其配置为使用RSA上面？

This seems to suggest that the SessionSecurityTokenHandler is trying to decrypt the cookie using DPAPI, but why? Didn't I configure it to use RSA above?

推荐答案

好了，经过一番搜索，我已经想通了，我的问题是什么。在我设置一个引起 FederatedAuthentication.ServiceConfiguration 访问的 ServiceConfigurationCreated ，我是做一些配置。 <一href=\"http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.web.federatedauthentication.serviceconfigurationcreated.aspx\">According到MSDN 的ServiceConfigurationCreated事件引发时，在Web应用程序中引用ServiceConfiguration第一个HTTP模块。让我感动的事件处理程序设置为的Application_Start 的顶部和一切工作，因为它应该，这意味着事件 - 只触发一次 - 之前，我有事件处理程序被触发成立。

Well, after much searching, I've figured out what my problem was. Before I set up the ServiceConfigurationCreated, I was doing some configuration that caused an access to FederatedAuthentication.ServiceConfiguration. According to MSDN, "The ServiceConfigurationCreated event is raised when the first HTTP module in the web application references ServiceConfiguration". I moved the event handler setup to the top of Application_Start and everything worked as it should, which means that the event - which only fires once - was firing before I had the event handler set up.

希望这将节省别人的4小时以上，我花了运行该地。

Hopefully this will save someone the 4+ hours it took me to run this to ground.

这篇关于SessionSecurityTokenHandler尝试使用DPAPI解密SessionSecurityToken在RSA加密的cookie;为什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！