I am hosting my web application on windows server 2008 with IIS 7.5,
I have 2 web applications:
1. the first one is the core sso (Single Sign-on) service with a login page.
2. another web application is hosted on the same web server which use the first app for sso.
I am using the WIF RTM to implementation the sso,
usually, it is running good without any problem, the user can login throw the sso and redirect back the start page.
but when I login throw the sso first, then restart the IIS, if I come back to the second application and refresh the page, I got the following error:
Server Error in '/' Application.
Key not valid for use in specified state.
Description: An unhandled
exception occurred during the
execution of the current web request.
Please review the stack trace for more
information about the error and where
it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException:
Key not valid for use in specified
state.
Source Error: An unhandled exception
was generated during the execution of
the current web request. Information
regarding the origin and location of
the exception can be identified using
the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid
for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
encryptedData, Byte[] optionalEntropy,
DataProtectionScope scope) +425
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +59
[InvalidOperationException: ID1073: A
CryptographicException occurred when
attempting to decrypt the cookie using
the ProtectedData API (see inner
exception for details). If you are
using IIS 7.5, this could be due to
the loadUserProfile setting on the
Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +151
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[]
cookie, Boolean outbound) +109
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader
reader, SecurityTokenResolver
tokenResolver) +634
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[]
token, SecurityTokenResolver
tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[]
sessionCookie) +239
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken&
sessionToken) +59
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs eventArgs) +52
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+68 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)
+75
________________________________________ Version Information: Microsoft .NET
Framework Version:2.0.50727.4927;
ASP.NET Version:2.0.50727.4927
the user session are stored by using SQLServer session mode, I am using a special database for this.
I have tried a lot and I cannot re-procedure this problem on my local computer (Windows7).
did anyone have similar experience? can you tell me how to solve this problem?
I finally solve this problem by change the application pool user to a local user.
the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).
Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.
Thanks all you guys and I am so glad to share my solution with you.
There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5
If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.
So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.
This could well be because your application pool user has no persistent user profile. To rectify this you can just run something as that user:
runas /user:<domain>\<user> cmd
And this will create the profile. Subsequently the data should be decryptable after restarting IIS.
Related
I am able to authenticate a user when working locally, using the line
AuthenticationResult result = context.AcquireToken(resource,clientID, returnURI, PromptBehavior.Always);
Locally, I get the signin screen and the UserInfo.
When I publish the web app to Azure, the code above fails with this error
"Error HRESULT E_FAIL has been returned from a call to a COM component"
[COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.]
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask(Task`1 task) +89
What causes this? I am publishing to the shared site (eg xxx.azurewebsites.net) -- so I don't have access to the server machine to make any changes --- beyond using the portal.
The code works as expected locally.
Also the javascript version (ADAL.js) works using the same tenant, clientID and returnURI
The token acquisition flow you are performing is meant to be ran on a desktop application, not a web one. The dialog that comes out on your desktop is driven by your local process and the existence of a local windows session. It cannot work within one web application, given that there is no windows session and the process is running elsewhere on a server machine.
Please refer to our samples to understand how to acquire tokens from a web app, anything with "openid" or "oauth" from https://github.com/AzureADsamples will work.
I have a peculiar problem with an MVC5 web app. It uses a pretty standard implementation of OWIN an the Thinktecture ResourceAuthorizationManager.
It is configured to work with ADFS.
The problem that I am facing is that after the app has been deployed and has been running on the server (IIS in server 2012R2) for some time, when you try to login you get stuck in an authentication loop. I have added a trace and it shows that IsAuthenticated is false, even after successful postback from ADFS.
If I recycle the app pool it all starts working as expected for a short while.
I am in great need of some pointers of where to look.
Edit:
Found the solution elsewhere. Answer can be found here: Intermittent redirection loops during ADFS authentication
In your global.asax.cs add an empty Session_Start event.
protected void Session_Start()
{
//Needed for Thinktecture to write AspCoookie
//https://github.com/IdentityServer/Thinktecture.IdentityServer3/issues/1003
}
I'm getting this error message on only one of the two nodes in my web farm. The code is identical between the two nodes and as best I can tell, IIS is set up identically on both nodes.
The WCF service that they're calling is on a different machine and doesn't have permissions locked down to anything crazy.
Both nodes are using anonymous authentication and forms authentication. Both have the default user for their app pools both have the IUSR account for the anonymous user. What else can I check to get node 2 in line with node 1? As I said, the code is identical across both servers and everything I've looked at in IIS is the same too. I'm sure there is some other setting in IIS on node 2 that I'm not aware of so if you can think of any other places to look, I'd really appreciate it.
Again this is the exception being thrown (on node 2 only)
System.ServiceModel.FaultException: The request for security token
could not be satisified because authentication failed.
TIA
I changed the app pool identity and that seems to have fixed it. No idea why as they were both using the same identity before...
I'm writing a script in powershell to lockdown a cloud environment website application. I have installed SSL, created groups/users in AD, disabled users, disabled app pools and and created app pools to summarize the script. Win 2008 r2 / iis7. When testing the site, I am getting a "403 Forbidden: Access is denied" When I check the system logs, I see the following three messages:
Level: Error
Source: WAS
Event ID: 5059
Application pool RiskChecker has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
Level: Warning
Source: WAS
Event ID: 5057
Application pool RiskChecker has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
Level: Warning
Source: WAS
Event ID: 5021
The identity of application pool XYZAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
What do these messages mean, and can anyone point me in the direction of how to resolve this? Thank you.
as monojlds says it's a credential issue - the error means the credentials you have entered for the app pool are incorrect or not in the right group.
is it a local user or a domain user? maybe the box can't authenticate against the domain being used? could the account be locked out? (that last one used to get me a lot)
on the IIS server you can test the credentials using runas on the command prompt.
runas /user:<username> cmd
it'll ask for you password and either launch another cmd or provide an error message. That'll help troubleshoot the user credentials.
Matt
I would recommend you to read here: http://technet.microsoft.com/en-us/library/cc735179(WS.10).aspx
Emphasis on the line quoted below:
If you set the application pool identity to a custom account, you will
have to ensure that the user credentials are valid and that the user
is a member of the IIS_USRS group.
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.