我目前正在使用 Forms Auth 跨子域进行身份验证。所以我有以下服务器:
site1.domain.com
site2.domain.com
并且他们能够共享 Forms Auth cookie。这是如何实现的链接:http: //msdn.microsoft.com/en-us/library/eb0zx8fc (v=VS.100).aspx
但是现在我正在向我的应用程序添加声明,似乎当我调用此行时:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
有一个“FedAuth=”cookie,其中包含序列化和加密的声明。
但是现在我无法在我的一个子域(site1)中设置 FedAuth cookie 并让另一个子域读取它(site2)。我收到此错误:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
以前,使用 Forms Auth,这不是问题,它只是工作。
为了在所有使用相同域的子域之间共享这些 FedAuth cookie,我需要做什么?
是的,两个站点的 web.config 文件具有相同的 machineKey。并且每个站点的应用程序池上的 loadProfile 设置设置为 false。
我希望能够在不涉及 STS 的情况下做到这一点。STS 引入了开销和复杂性,我看不出有任何理由说明您不应该能够将包装到 FedAuth cookie 子域中的声明变得友好。
谢谢,迈克