IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

Cryptography.CryptographicException: Key not valid for use in specified state. #837

Open markusfay opened 9 years ago

markusfay commented 9 years ago

Hi, I've been using Thinktecture Identity Server 2.x for quite a while and have been very happy with it so far. Recently we had to change from SAML2.0 tokens to JWTs. It works all fine with our development environment, which uses a single application server. Our test environment is using two application servers sitting behind a NLB.

I've experienced issues with multiple application servers before and set the machine keys of both of the ASs to the same values, which helped as long as I was using SAML2.0. I haven't touched the machine keys and they are still the same. However with my new JWT configuration I get the following error:

System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

[CryptographicException: Key not valid for use in specified state. ] System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +318 System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +52

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ] System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +167 System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +123 System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +575 System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +76 System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +417 System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +176 System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +116 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69

I have also tried setting the machine key in IIS as well as through the web.config file. http://docs.orchardproject.net/Documentation/Setting-up-a-machine-key

I spent several hours of research and I keep reading about the same potential solution to set the machine key to the same value, Am I overseeing the obvious?

Thanks

robthejedi commented 9 years ago

Is the relying party application setup to use the MachineKeySessionSecurityTokenHandler? Setting the machine keys the same in a load balanced environment will help, but without using the MachineKeySessionSecurityTokenHandler I think it still will use the plain old SessionSecurityTokenHandler which relies on DPAPI for encryption and decryption of the fedauth cookie.