영업: 1-800-867-1380

 none
ID1014: The signature is not valid. The data may have been tampered with

    질문

  • I have been following the steps described in "Federated Authentication in a Windows Azure Web Role Application" of Identity Training kit. There is one step which discusses about adding <Servicecertificate> in the web.config file. I generated a new certificate, added it as a certificate to my web role, and then used the same thumbprint in my web.config file.

    <serviceCertificate>
            <certificateReference x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" findValue="83341E2E02150DF9905EF25E78A527717FAF2C6A"/>
          </serviceCertificate>
    

    but when i run my project i get the follwong exception:

    ID1014: The signature is not valid. The data may have been tampered with. 
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
    
    Exception Details: System.Security.Cryptography.CryptographicException: ID1014: The signature is not valid. The data may have been tampered with.
    
    Source Error: 
    
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  
    
    Stack Trace: 
    
    
    [CryptographicException: ID1014: The signature is not valid. The data may have been tampered with.]
       Microsoft.IdentityModel.Web.RsaSignatureCookieTransform.Decode(Byte[] encoded) +1279
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +894
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +118
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +363
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +124
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
    
     
    
    

    any idea how to solve this issue?

    2012년 2월 6일 월요일 오전 3:31

답변

  • <serviceCertificate>
            <certificateReference x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" findValue="83341E2E02150DF9905EF25E78A527717FAF2C6A"/>
          </serviceCertificate>


    The thumbprint in the above configuration would be of the token signing certificate of our ACS. Basically, we need to upload this certificate to ACS portal and use it for token signing their and in our web.config with the same thumbprint and it will work

    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
              <add thumbprint="82581E2E02150DF9905EF25E78A527717FAF2C6A" name="https://xxxxxxxxx.accesscontrol.windows.net/" />
            </trustedIssuers>
          </issuerNameRegistry>


    If this post answers your question, please mark it as an answer. If this post is helpful to you, then vote it as helpful.
    TechyFreak | Mobile Development Resources

    • 답변으로 표시됨 Dood Singh 2012년 2월 27일 월요일 오전 7:10
    2012년 2월 24일 금요일 오전 5:11

모든 응답

  • Since you're following Identity Training Kit, you can ask the question on the WIF forum: http://social.msdn.microsoft.com/Forums/en-US/Geneva/threads.
    2012년 2월 6일 월요일 오전 10:43
  • Well, i am following training kit for Azure Specific scenario. My issue is that with Single Instance WIF works fine, but with multiple instanes i am facing the above issue.

    The initial issue that i was facing was as below:

    CryptographicException: Key not valid for use in specified state.
    ]
       System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +425
       Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +59
    
    [InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
       Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +151
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +109
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +634
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +105
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +239
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +59
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +52
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    So i added the fix for this from the traininit kit exercise for Federation in Windows Azure, but now i get this error:

    [CryptographicException: ID1014: The signature is not valid. The data may have been tampered with.]
       Microsoft.IdentityModel.Web.RsaSignatureCookieTransform.Decode(Byte[] encoded) +1279
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +894
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +118
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +363
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +124
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
    

    2012년 2월 8일 수요일 오후 5:42
  • Well, if it can help others to answer my question, i am getting this error, whenever, HttpContext.Current.User is null. The issue is in one of my instances i have value for HttpContext.Current.User or for Thread.CurrentPRincipal, but for another instance these values are null. So for ny subsequent requests to my 2nd instance, i get the exception as above.
    2012년 2월 8일 수요일 오후 9:29
  • How are you handling the cookie crypto? Are you using the default implementation or are you using an RSA cookie transform? E.g.: http://social.technet.microsoft.com/wiki/contents/articles/1898.aspx#Q1


    Developer Security MVP | www.syfuhs.net

    2012년 2월 8일 수요일 오후 11:04
  • i am using RSA cookie transform. If i try to read the certificate from configuration file as mentioned in the link you posted (e.ServiceConfiguration.ServiceCertificate), i even am not able to go to the ACS login page, and i get the error:

    [CryptographicException: ID1014: The signature is not valid. The data may have been tampered with.]
       Microsoft.IdentityModel.Web.RsaSignatureCookieTransform.Decode(Byte[] encoded) +1279
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +894
       Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +118
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +363
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +124
       Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

    Therefore, i uploaded the certificate to blob storage and then i am bytes of that certificate as below, but again i get the error as above but only for 1 instance and not both the instances of Azure. 1 instance works fine. I have added logs and was able to find that whenever this error occurs, the value of HttpContext.Current.User was null for that instance.

    void FederatedAuthentication_ServiceConfigurationCreated(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
            {
                           CloudStorageAccount account = CloudStorageAccount.Parse(RoleEnvironment.GetConfigurationSettingValue("Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"));
                CloudBlobClient blobClient = account.CreateCloudBlobClient();
                CloudBlobContainer container = blobClient.GetContainerReference("certificate");
                var blob = container.GetBlobReference("cert.pfx");
                
                byte[] cert = blob.DownloadByteArray();
    
                X509Certificate2 certificate = new X509Certificate2(cert, "password");
                List<CookieTransform> sessionTransforms =
                new List<CookieTransform>(new CookieTransform[] {
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(certificate),
                new RsaSignatureCookieTransform(certificate)  });
                SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
                e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
      
    
    
            }

    Let me explain you the flow when this error occurs:

    1. I open my application in browser, Instance_0 is hit and reidrected to ACS and get token back. Both Thread.CurrentPrinicipal and HttpContext.Current.User have valid values with Thread.CurrentPrinicipal.Identity.IsAuthenitcated as True.

    2. Then i click on any other link of my application or refresh the page, the request goes to Instance_1. Here, HttpContext.Current.User is null and Thread.CurrentPrinicipal.Identity.IsAuthenitcated is False. I suspect here is when it tries to decode a null value and fails.

    Please note that I am using SQL Azure for session state management.

    2012년 2월 8일 수요일 오후 11:58
  • Can you see if the cookie is intact when it switches between instance_0 and Instance_1? You could use Fiddler or the IE F12 Developer tools to view the cookie.

    Developer Security MVP | www.syfuhs.net

    2012년 2월 9일 목요일 오전 12:23
  • The values of following cookies for both the instances are exactly same.

    2012년 2월 9일 목요일 오전 10:04
  • I don't think it's related, but what happens if you hardcode the certificate and remove the blob storage?

    Developer Security MVP | www.syfuhs.net

    2012년 2월 9일 목요일 오후 7:53
  • <serviceCertificate>
            <certificateReference x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" findValue="83341E2E02150DF9905EF25E78A527717FAF2C6A"/>
          </serviceCertificate>


    The thumbprint in the above configuration would be of the token signing certificate of our ACS. Basically, we need to upload this certificate to ACS portal and use it for token signing their and in our web.config with the same thumbprint and it will work

    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
              <add thumbprint="82581E2E02150DF9905EF25E78A527717FAF2C6A" name="https://xxxxxxxxx.accesscontrol.windows.net/" />
            </trustedIssuers>
          </issuerNameRegistry>


    If this post answers your question, please mark it as an answer. If this post is helpful to you, then vote it as helpful.
    TechyFreak | Mobile Development Resources

    • 답변으로 표시됨 Dood Singh 2012년 2월 27일 월요일 오전 7:10
    2012년 2월 24일 금요일 오전 5:11
  • Dood

    I am experiencing the error for my azure deployment.  It gives the error in IE. Works like a charm in Firefox, Safari or chorme.

    Adding the ServiceCertificate and trusted issuers in the web.config did not solve the problem for me. 

    Wondering if there was any thing else you did to solve the issue.

    2013년 5월 14일 화요일 오후 7:08