使用ACS扩展Azure Web角色时的保护API异常
[英]Protection API Exceptions when scaling Azure Web Roles using ACS
问题描述
I have been using Azure ACS against Windows Live and Google and its been running without any problems. 
我一直在使用针对Windows Live和Google的Azure ACS,它一直运行没有任何问题。 Last night we scaled instances from 1 running instance to 3 and since then people have reported issues when accessing our site. 昨晚我们将实例从1个运行实例扩展到3个,从那以后人们在访问我们的网站时报告了问题。 We've traced this to the following exception which is occuring on a fairly regular basis. 我们已将此跟踪到以下异常情况,该异常情况经常发生。
We assume we have a problem somewhere in our configuration but aren't sure what we're missing. 我们假设我们的配置中存在问题,但不确定我们缺少什么。 We set the machine key... 我们设置机器密钥......
<machineKey decryption="AES" decryptionKey="F7_SOMETHING_SOMETHING_FA" validation="SHA1" validationKey="63_SOMETHING_SOMETHING_BF" />
Can anyone shed some light on this problem? 任何人都可以解释这个问题吗?
System.InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ---> System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[] encoded)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken)
at Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Note: For context. 注意:对于上下文。 this is running in a Windows Azure Web Role and is MVC 4. 这是在Windows Azure Web角色中运行的,是MVC 4。
3 个解决方案
解决方案1
7 已采纳 2012-12-19 13:27:30
Now that you've scaled out and since your application is hosted behind a load balancer, then it is possible that your user navigated to Server A, got the session cookie protected by DPAPI on Server A, but as they continue to browse around the site the load balancer redirects the request to execute on Server B. When this happens, Server B does not have a matching machine key, so it is unable to decrypt the session cookie and throws the above error. 现在您已经扩展,并且由于您的应用程序托管在负载均衡器后面,因此您的用户可能导航到服务器A,在服务器A上获得受DPAPI保护的会话cookie,但是当他们继续浏览站点时负载均衡器重定向请求以在服务器B上执行。发生这种情况时,服务器B没有匹配的机器密钥,因此它无法解密会话cookie并抛出上述错误。 Here are three ways in which you can resolve this issue. 您可以通过以下三种方式解决此问题。
Windows Identity Foundation (WIF) is an out-of-band runtime that must be installed on the computer so that your claims-aware application can use it. Windows Identity Foundation(WIF)是一个必须安装在计算机上的带外运行时,以便您的声明感知应用程序可以使用它。 WIF is not installed by default on Windows Azure instances. 默认情况下,Windows Azure实例上未安装WIF。 To run your cloud claims-aware application, you must make WIF runtime available on the Windows Azure instance. 要运行云声明感知应用程序,必须在Windows Azure实例上提供WIF运行时。 The easiest way is to do this is to include the WIF assembly with the deployment package. 最简单的方法是将WIF程序集包含在部署包中。
To include the WIF assembly with the Windows Azure deployment package 将WIF程序集包含在Windows Azure部署程序包中
- In the Solution Explorer, locate your claims-aware application. 在解决方案资源管理器中,找到声明感知应用程序。
- Expand the References folder. 展开References文件夹。
- Locate the Microsoft.IdentityModel assembly under the References folder. 在References文件夹下找到Microsoft.IdentityModel程序集。
- Right-click the assembly, and then click Properties. 右键单击该程序集,然后单击“属性”。
- In the properties window, specify Copy Local as True and Specific Version as False. 在属性窗口中,将Copy Local as True和Specific Version指定为False。
By default, WIF protects cookies cryptographically using data protection application programming interfaces (DPAPI). 默认情况下,WIF使用数据保护应用程序编程接口(DPAPI)以加密方式保护cookie。 DPAPI is not available on Windows Azure. Windows Azure上不提供DPAPI。 To make sure that your cloud claims-aware web application functions correctly when it is deployed to Windows Azure, you must add cookies encryption functionality using RSA. 要确保您的云声明感知Web应用程序在部署到Windows Azure时能够正常运行,您必须使用RSA添加Cookie加密功能。
To encrypt cookies using RSA 使用RSA加密cookie
- In the Solution Explorer, locate your cloud claims-aware web application. 在解决方案资源管理器中,找到您的云声明感知Web应用程序。
- Open the global.asax.cs file, which is the code behind the global.asax file, in the Visual Studio editor. 在Visual Studio编辑器中打开global.asax.cs文件,该文件是global.asax文件背后的代码。
Add the following declarations: 添加以下声明:
using Microsoft.IdentityModel.Tokens;
using Microsoft.IdentityModel.Web;
using Microsoft.IdentityModel.Web.Configuration;
Add the following code: 添加以下代码:
void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
//
// Use the <serviceCertificate> to protect the cookies that are
// sent to the client.
//
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(new CookieTransform[] {
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) });
SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
void Application_Start(object sender, EventArgs e)
{
FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
More information can be found here: http://msdn.microsoft.com/en-us/library/hh289318.aspx 更多信息可以在这里找到: http : //msdn.microsoft.com/en-us/library/hh289318.aspx
解决方案2
2 2012-12-19 13:28:59
This is common exception when using WIF in farm environment. 在farm环境中使用WIF时,这是常见的例外。 The point is that the default behavior is to use DPAPI to encrypt the cookie. 关键是默认行为是使用DPAPI加密cookie。 However DPAPI is MachineKey bound. 但是DPAPI是MachineKey绑定的。
You have to make a small change in the Global.Asax and use RSA Crypto service provider to encrypt/decrypt the FedAuth Cookie. 您必须在Global.Asax中进行一些小改动,并使用RSA Crypto服务提供程序来加密/解密FedAuth Cookie。 Take a look at this article on how to achieve that . 看看这篇关于如何实现这一目标的文章 。
解决方案3
1 2013-09-16 17:11:27
I ran into a similar issue while trying to utilize ACS with an MVC 4 app deployed as a Windows Azure Website instance vs. a cloud service. 在尝试使用部署为Windows Azure网站实例的MVC 4应用程序与云服务时,我遇到了类似的问题。 The following helped me to resolve the problem. 以下帮助我解决了这个问题。 http://msdn.microsoft.com/en-us/library/hh568644.aspx http://msdn.microsoft.com/en-us/library/hh568644.aspx
Scroll to the very bottom and find the example which shows removing the SessionSecurityTokenHandler and replacing it with the MachineKeySessionSecurityTokenHandler . 滚动到最底部,找到显示删除SessionSecurityTokenHandler并将其替换为MachineKeySessionSecurityTokenHandler的示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.