Geek Answers Handbook

WIF-ID1014: The signature is not valid. The data may have been tampered with.

I use WIF to authenticate our new website, STS is based on a starter implementation.

For this to work correctly in a load balancing environment, I used the following in global.asax to override the default certificate behavior.

void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); }

It all works, they just find it, and people successfully use the system, but from time to time we get an explosion:

ID1014: The signature is not valid. The data may have been tampered with.

in the event logs, so I turned on WIF tracing and saw the following in the log.

ID1074: CryptographicException occurred while trying to encrypt a cookie using the ProtectedData API (see internal exception for details). If you are using IIS 7.5, this could be because loadUserProfile in the application pool is set to false.

I have a feeling that this leads me down a dark lane, as I thought, because I changed the implementation to use RSA, it should not touch me.

Any ideas to help me?

+8
wif windows-identity federated-identity ws-federation
source share
4 answers

I changed the implementation to change the timeout in the ontokencreated method. This prevents retransmission.

 protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args) { args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken( args.SessionToken.ClaimsPrincipal, args.SessionToken.Context, DateTime.UtcNow, DateTime.UtcNow.AddDays(365), true ); //base.OnSessionSecurityTokenCreated(args); }
+2
source share

Browser cookies are encrypted with the "old" mechanism - DPAPI. Therefore, when the server tries to decrypt cookies, it fails - your code uses RSA now, not DPAPI.

As a workaround, clear your browser’s cache and the application will start as expected.

+3
source share

Has the loadUserProfile parameter set to true? Is the problem still arising?

(Select the application pool in IIS, and then click "Advanced Settings" on the right. "Download User Profile" is in the "Process Model" section).

0
source share

A recurring error, combined with the DPAPI exception displayed on your traces, tells me that you are not actually overriding the cookie conversion, and your service still uses DPAPI.

It may be a long shot, but in your code snippet I noticed that your method overrides "onServiceConfigurationCreated" starts with lowercase o. Such a typo will really prevent you from overriding the default WIF behavior correctly.

0
source share

More articles:


All Articles