Azure Web Sites and ACS RRS feed

  • Question

  • Hi all,

    I am trying out Windows Azure Web sites.  I have a MVC 3 web role app already working and deployed on Azure which utilises ACS.  Everything works perfectly including ACS.  When I move the site to a Azure Web Site I get the following error when the  user tries to authenticate :

    The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

    I have done some reading and the suggested fix is to alter an IIS setting.  Because it is on Azure Web Sites I have no ability to alter the IIS setting.  Can anybody help me to solve this problem?


    Friday, June 22, 2012 3:34 AM


All replies

  • Is this a shared or reserved instance?

    Do you have a callstack that go with this error?

    Issue most likely has to do with the user profile that needs to be changed.

    Thank you 

    Friday, June 22, 2012 4:44 PM
  • I am not sure what you mean by "shared or reserved instance". I set up the website using

    the new website/ quick create menu in the preview azure site at

    Here is the stack trace.

    [CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.] System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +511 Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +54 [InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ] Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +146 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +47 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +470 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +89 Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +123 Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +38 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +85 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +585 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    Saturday, June 23, 2012 12:18 AM
  • I believe this might be happening due to security isolation we are using for websites. Certain system level operations are blocked and this might be one of them. Which IIS setting were you thinking about swithcing to resolve this issue?



    Apurva Joshi, This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, June 23, 2012 2:03 AM
  • Hi there, thanks for your reply.

    Some articles I have found suggest that altering the app pool setting on the IIS server called "Load User Profile" to true will solve this.


    Saturday, June 23, 2012 4:08 AM
  • The standard cookie protection of WIF uses per-user DPAPI. This requires to load the user profile for the worker process account. That's a setting of the AppPool.

    If you can't do that, than no WIF/ACS/ADFS integration will work out of the box.

    Starting with .NET 4.5 you can use the machine key to provide the key material instead.

    Dominick Baier | thinktecture |

    Saturday, June 23, 2012 10:07 AM
  • I am having this same issue trying to use ACS 2.0 on the new Azure Web Site .

    Dominick - can you elaborate on your suggestion ?

    thanks a lot in advance,


    Wednesday, July 11, 2012 5:40 AM
  • WIF needs the IIS user profile to be loaded to apply DPAPI protection to session cookies. If this is not configured at the app pool level, it will fail.

    One alternative is to use the machine key for protection - .NET 4.5 has this built-in and I quickly back ported it to 4.0:

    You need to remove the standard session token handler in WIF config - and then add the new one.

    Dominick Baier | thinktecture |

    Wednesday, July 11, 2012 7:18 AM
  • Hey Dominick,

    sorry for slow reply , snowed under.  Thanks a lot for this , will take a look @ weekend



    Friday, July 13, 2012 5:53 AM
  • Mate, this worked a treat.  You sir have saved a frustrating day of "rest".

    My site work with ACS on cloudapps suspiciously easily, but using ACS with azure websites more than made up for the initial ease.  I just couldn't get overwriting the FedertedAuthentication in globax.asax to work.

    Adding the Thinktecture reference sorted it a treat.

    Cheers Dominick.

    • Edited by Loki4-2 Sunday, July 15, 2012 3:04 PM
    Sunday, July 15, 2012 3:03 PM
  • Hi Dominick

    Can I use the machine key security token handler as in your blogg

    even if I'm using saml2SecurityTokenHandler? If yes, how can I configure both securityTokenHandler.

    Thursday, July 19, 2012 7:50 AM
  • Token handlers are a collection. Simply use the config snippet from my blog to de-register the built-in one, and register the new one.

    Dominick Baier | thinktecture | | @leastprivilege

    Thursday, July 19, 2012 7:52 AM
  •  mean I have to use Saml2SecurityTokenHandler. How can I use MachineKeySessionSecurityTokenHandler with Saml2SecurityTokenHandler.Can I configure as below:


    <remove type="Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler, Microsoft.IdentityModel, . />
    <add type="Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler, Microsoft.IdentityModel, -..../>      

    <remove type=Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel,..../>

      <add type=Thinktecture.IdentityModel.Web.MachineKeySessionSecurityTokenHandler../>


    Thursday, July 19, 2012 8:16 AM
  • .NET 4.5 has a built-in MachineKeySessionSecurityTokenHandler that you can use instead of the default SessionSecurityTokenHandler, which will not work with Azure web sites due to restrictions on use of the DPAPI. To use the MachineKeySessionSecurityTokenHandler instead on an ASP.NET 4.5 based Azure website, add the following to your <system.identityModel> / <identityConfiguration> section in your web.config file:

            <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
            <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,System.IdentityModel.Services, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

    You'll be good to go when you next deploy.

    Marshall Rosenstein

    • Edited by MarshallR Friday, February 22, 2013 11:16 PM
    • Proposed as answer by MarshallR Friday, February 22, 2013 11:17 PM
    Friday, February 22, 2013 11:15 PM
  • With .NET 4.5 it is just a checkbox in the Identity and Access tool. Vittorio explains it here:


    Friday, July 26, 2013 1:16 PM