8

我在 MSDN 论坛、Dominic Baier 的博客和其他来源中读到 DPAPI 在 Azure 中无法开箱即用,并且在任何类型的网络场场景中处理联合身份验证的一种方法是替换 DPAPI 转换一个使用整个场中可用的私钥,例如使用 X509 证书的 RSA 加密。我在我的 Azure MVC 应用程序中采用了这种方法并配置SessionSecurityTokenHandler如下:

FederatedAuthentication.ServiceConfigurationCreated += (sender, args) =>
    {
        var sessionTransforms = new List<CookieTransform>(new CookieTransform[]
            {
                new DeflateCookieTransform(),
                new RsaEncryptionCookieTransform(args.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(args.ServiceConfiguration.ServiceCertificate)
            });
        var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
        args.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);                    
    };

使用此配置,我们能够从身份提供者接收令牌并发布使用这些转换加密的安全 cookie。在 Azure 模拟器中运行,一切正常。但是,在 Azure 环境中,我们在浏览器中间歇性地看到以下错误:

Key not valid for use in specified state.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.


Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 


[CryptographicException: Key not valid for use in specified state.
]
   System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +577
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +80

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded) +433
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +189
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +862
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +109
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +356
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +123
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

这似乎表明SessionSecurityTokenHandler正在尝试使用 DPAPI 解密 cookie,但为什么呢?我不是将它配置为使用上面的 RSA 吗?

4

2 回答 2

15

请注意,您现在可以使用MachineKeySessionSecurityTokenHandler跨网络场签署和加密会话令牌。

要使用它,您需要删除默认值SessionSecurityTokenHandler并添加MachineKeySessionSecurityTokenHandlerin Web.config

<system.identityModel>
  <identityConfiguration>
    <securityTokenHandlers>
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

使用MachineKeySessionSecurityTokenHandler配置的机器密钥,Web.config因此您也需要添加:

<system.web>
  <machineKey validationKey="..." decryptionKey="..." validation="SHA1" decryption="AES" />
</system.web>

在BrainThud上看到这个问题

于 2013-05-20T15:52:32.683 回答
5

好吧,经过大量搜索,我已经弄清楚我的问题是什么。ServiceConfigurationCreated在我设置FederatedAuthentication.ServiceConfiguration. 根据 MSDN,“当 Web 应用程序中的第一个 HTTP 模块引用 ServiceConfiguration 时,会引发 ServiceConfigurationCreated 事件”。我将事件处理程序设置移到顶部,Application_Start一切正常,这意味着该事件(仅触发一次)在我设置事件处理程序之前触发。

希望这可以节省我将其运行到地面所花费的 4 个多小时。

于 2012-10-16T00:21:21.003 回答