I am trying out Windows Azure Web sites. I have a MVC 3 web role app already working and deployed on Azure which utilises ACS. Everything works perfectly including ACS. When I move the site to a Azure Web Site I get the following error
when the user tries to authenticate :
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
I have done some reading and the suggested fix is to alter an IIS setting. Because it is on Azure Web Sites I have no ability to alter the IIS setting. Can anybody help me to solve this problem?
[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.] System.Security.Cryptography.ProtectedData.Protect(Byte
userData, Byte optionalEntropy, DataProtectionScope scope) +511 Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte value) +54 [InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie
using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ] Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte value)
+146 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte cookie, Boolean outbound) +47 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +470 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken
sessionToken) +89 Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +123 Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken,
Boolean writeCookie) +38 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +85 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest
request) +585 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously) +75
I believe this might be happening due to security isolation we are using for websites. Certain system level operations are blocked and this might be one of them. Which IIS setting were you thinking about swithcing to resolve this issue?
Apurva Joshi, This posting is provided "AS IS" with no warranties, and confers no rights.
Mate, this worked a treat. You sir have saved a frustrating day of "rest".
My site work with ACS on cloudapps suspiciously easily, but using ACS with azure websites more than made up for the initial ease. I just couldn't get overwriting the FedertedAuthentication in globax.asax to work.
Adding the Thinktecture reference sorted it a treat.
.NET 4.5 has a built-in MachineKeySessionSecurityTokenHandler that you can use instead of the default SessionSecurityTokenHandler, which will not work with Azure web sites due to restrictions on use of the DPAPI. To use the MachineKeySessionSecurityTokenHandler
instead on an ASP.NET 4.5 based Azure website, add the following to your <system.identityModel> / <identityConfiguration> section in your web.config file: