1
我目前使用Forms Auth验证跨子域。所以我有以下服务器:是否可以在子域中使用WIF SessionAuthenticationModule Cookie?
site1.domain.com
site2.domain.com
他们能够共享Forms Auth cookie。这里是一个链接,如何这是可能的: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=VS.100).aspx
但现在我加入声明为我的应用程序,它似乎是,当我把这个行:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
,有一个“FedAuth =”所写入的cookie包含序列化和加密的声明。
但现在我无法在我的一个子域(site1)中设置FedAuth cookie,并让其他子域读取它(site2)。我得到这个错误:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
之前,与形式身份验证,这不是一个问题,它只是工作。
为了在所有使用相同域的子域之间共享这些FedAuth cookie,我需要做些什么?
是的,这两个网站的web.config文件具有相同的machineKey。并且每个站点的应用程序池上的loadProfile设置都设置为false。
我希望能够做到这一点而不涉及STS。 STS引入了开销和复杂性,我看不出有什么理由不应该将FedAuth cookie子域中的索赔包装好。
谢谢, 迈克