【发布时间】:2013-04-30 15:32:26
【问题描述】:
我目前正在使用 Forms Auth 跨子域进行身份验证。所以我有以下服务器:
site1.domain.com
site2.domain.com
并且他们能够共享表单身份验证 cookie。这是如何实现的链接: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=VS.100).aspx
但现在我正在向我的应用程序添加声明,似乎当我调用此行时:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
有一个“FedAuth=”cookie,其中包含序列化和加密的声明。
但现在我无法在我的一个子域 (site1) 中设置 FedAuth cookie 并让另一个子域读取它 (site2)。我收到此错误:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
以前,使用 Forms Auth,这不是问题,它只是工作。
我需要做什么才能在所有使用相同域的子域之间共享这些 FedAuth cookie?
是的,两个站点的 web.config 文件具有相同的 machineKey。并且每个站点的应用程序池上的 loadProfile 设置设置为 false。
我希望能够在不涉及 STS 的情况下执行此操作。 STS 引入了开销和复杂性,我看不出有任何理由说明您不应该能够使用对 FedAuth cookie 子域友好的声明。
谢谢, 迈克
【问题讨论】:
标签: forms-authentication wif claims-based-identity ws-federation