none
ADFS 2.0 SSO The data protection operation was unsuccessful

    Question

  • Hi all,

    I am using Identity Training Kit for VS 2010 sample Labs\WebSitesAndIdentity\Source\Ex3-FederatingADFSv2

    and I have error:

     

    Server Error in '/ClaimsEnableWebSite' Application.

    The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
    System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +456
    Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +54

    [InvalidOperationException: ID1074: возникло исключение CryptographicException при попытке зашифровать файл Cookie с использованием API ProtectedData (дополнительные сведения см. в тексте внутреннего исключения). При использовании IIS 7.5 это исключение может быть вызвано заданием для параметра пула приложений loadUserProfile значения FALSE. ]
    Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +145
    Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +47
    Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +533
    Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +89
    Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +123
    Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +38
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +85
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +583
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


    Version Information:  Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

     

    Please help.

    Any assistance would be greatly appreciated.

    Monday, July 26, 2010 10:56 AM

All replies

  • As the error message says - you need to load the profile in IIS - you can set this in the setting for the AppPool in IIS manager.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Monday, July 26, 2010 9:15 PM
    • Open your IIS Manager
    • Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
    • After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
    • Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
    Tuesday, July 27, 2010 10:04 PM
  • Thanks guys! This is the right advice!
    Wednesday, July 28, 2010 9:48 AM
  • Does this work for IIS 6 as well? According to our hosting company this setting is not possible. Anyone know a work around?

    Thanks,

    Kristoffer

    Monday, September 27, 2010 8:33 PM
  • Is your site running under a specific user, i.e. not network service, if so I think your error might be the same as the one i was getting see http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/44901cb9-c995-4870-88d7-b29893f00828

    If you cant use a certificate, in the same example there is some code to use the machine key for encrypting the cookie instead.

    Hope this helps

    Tuesday, September 28, 2010 12:54 PM
  • Thanks! It worked, had some problems with the mystic error "Failed to Execute URL.". But solved it by adding for static file types that should be supported:

     

       <httpHandlers>

          <add verb="*" path="*.gif" type="System.Web.StaticFileHandler" />

          <add verb="*" path="*.png" type="System.Web.StaticFileHandler" />

          <add verb="*" path="*.css" type="System.Web.StaticFileHandler" />

          <add verb="*" path="*.js" type="System.Web.StaticFileHandler" />

       </httpHandlers>

    Tuesday, September 28, 2010 9:45 PM
  • Funnily enough i had the "Failed to execute error" and it was down to having

        <authorization>
          <deny users="?" />
        </authorization>

    missing from my config file. I guess there is some logic there because if we are using the WIF stuff and sending all files thru it then it will be expecting an authentication token unless we have specified the location to allow access to all.

     

     

    Wednesday, September 29, 2010 1:47 PM
  • Hi Reholm, I have the same problem as yours. Could you please tell me what steps you have taken to resolve this issue?  
    Wednesday, September 14, 2011 9:22 PM
  • Did this fix your first issue "data protection operation unsuccessful?" I assume that you followed a different step to resolve that. Could you please explain. I am relatively new. 
    Wednesday, September 14, 2011 9:24 PM
  • I am having the same problem ' My web hosting company is running IIS on 2003 and have no way to set anything in the IIS. Appreciate if you someone could help me to reslolve the issue 

    The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

    Wednesday, September 14, 2011 9:25 PM
  • Hi

    Have you tried looking at

    http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/44901cb9-c995-4870-88d7-b29893f00828 your error and the one in this thread are essentially the same.

    If you cannot change IIS i very much doubt you will have access to certificates either, but in the WIF SDK example there is some code to use the machine key for encrypting the cookie instead. So instead of using RSaEncryptedSessionSecurityTokenHandler.cs there was something like MachineKeyEncryptedSessionSecurityTokenHandler.cs. Sorry I dont currently have access to the examples so i might have the file name wrong.

    Hope this helps

    Friday, September 16, 2011 4:09 PM
  • thanks Claudio Sanchez , Your steps worked.

     

    • Open your IIS Manager
    • Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
    • After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
    • Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
    Monday, January 23, 2012 6:24 PM
  • Yes Its working to change Load User Profile to true. Thank you claudio.
    Thursday, November 07, 2013 6:44 AM