SessionSecurityTokenHandler尝试使用DPAPI解密RSA加密cookie中的SessionSecurityToken; 为什么？

Question

我已经阅读过MSDN论坛,Dominic Baier的博客,以及其他来源,DPAPI不​​会在Azure中开箱即用,并且在任何类型的Web场景中处理联合身份验证的一种方法是替换DPAPI转换使用可在整个服务器场中使用的私钥的服务器,例如使用X509证书的RSA加密.我在Azure MVC应用程序中采用了这种方法并配置SessionSecurityTokenHandler如下:

FederatedAuthentication.ServiceConfigurationCreated += (sender, args) =>
    {
        var sessionTransforms = new List<CookieTransform>(new CookieTransform[]
            {
                new DeflateCookieTransform(),
                new RsaEncryptionCookieTransform(args.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(args.ServiceConfiguration.ServiceCertificate)
            });
        var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
        args.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);                    
    };

使用此配置,我们能够从身份提供商处接收令牌,并发布使用这些转换加密的安全cookie.在Azure模拟器中运行,一切都按预期工作.但是,在Azure环境中,我们间歇性地在浏览器中看到以下错误:

Key not valid for use in specified state.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.


Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 


[CryptographicException: Key not valid for use in specified state.
]
   System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +577
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +80

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +433
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +862
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +109
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +356
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +123
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

这似乎表明它SessionSecurityTokenHandler正在尝试使用DPAPI解密cookie,但为什么呢？我没有配置它使用上面的RSA吗？

Answer 1

请注意,您现在可以MachineKeySessionSecurityTokenHandler在Web场中使用签名和加密会话令牌.

要使用此,你将需要删除默认SessionSecurityTokenHandler,并添加MachineKeySessionSecurityTokenHandler在Web.config:

<system.identityModel>
  <identityConfiguration>
    <securityTokenHandlers>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

在MachineKeySessionSecurityTokenHandler利用中配置的机器密钥的Web.config,所以你需要添加它:

<system.web>
  <machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />
</system.web>

在BrainThud上看到这个问题

Answer 2

好吧,经过多次搜索,我发现了我的问题.在我设置之前ServiceConfigurationCreated,我正在做一些导致访问的配置FederatedAuthentication.ServiceConfiguration. 根据MSDN,"当Web应用程序中的第一个HTTP模块引用ServiceConfiguration时,将引发ServiceConfigurationCreated事件".我将事件处理程序设置移动到顶部Application_Start并且一切正常,这意味着事件 - 仅触发一次 - 在我设置事件处理程序之前触发.

希望这可以节省一些人花费4个多小时来运行它.