Resetting password on Microsoft Identity causes System.Security.Cryptography.CryptographicException

Question

I'm using MS Identity and when I'm using a reset token to reset the password, I get this exception:

Inner Exception Type: System.Security.Cryptography.CryptographicException Inner Exception: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

This is what the code looks like:

var TheProvider = new DpapiDataProtectionProvider();
UserManager<IdentityUser> TheUserManager = new UserManager<IdentityUser>(new UserStore<IdentityUser>());
TheUserManager.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(TheProvider.Create("EmailConfirmation"));

string TheResetCode = TheUserManager.GeneratePasswordResetToken(TheUserMembershiptID);

IdentityResult TheResult = TheUserManager.ResetPassword(TheUserMembershiptID, TheResetCode, TheNewPassword);

What I have works on my local machine but not when I put it on a server. I've looked around but I haven't found a solution. What do I need to change to make it work?

Answer 1

This is a configuration problem with IIS. Go to the application pool advanced settings, and set the option "Load User Profile" to True .

Answer 2

The assumption here is that you are using at least version 3 of Identity along with OWIN and entity framework.

Don't create the data protection provider manually every time. Get it at startup from the application builder and store it for the user manager to use.

public static class Auth {
    internal static IDataProtectionProvider DataProtectionProvider { get; private set; }
}

public partial class Startup {
    public void ConfigureAuth(IAppBuilder app) {
        Auth.DataProtectionProvider = app.GetDataProtectionProvider();
        //...other code removed for brevity
    }
}

Configure a DbContext for membership information persistence

public class MyIdentityDbContext : IdentityDbContext<IdentityUser> {
    public MyIdentityDbContext()
        : base("MembershipConnection") { }

    public static MyIdentityDbContext Create() {
        return new MyIdentityDbContext();
    }
}

Now create a UserManager derived class and configure it to use the data protection provider

public class IdentityUserManager : UserManager<IdentityUser> {

    private IdentityUserManager()
        : base(new UserStore<IdentityUser>(MyIdentityDbContext.Create())) {
        //...other code removed for brevity

        var dataProtectionProvider = Auth.DataProtectionProvider;
        if (dataProtectionProvider != null) {
            this.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create("UserToken"));
        }
    }

    public static IdentityUserManager Create() {
        return new IdentityUserManager();
    }
}

So now assuming you have users registered in your persistence storage, you should be able to generate your token and reset the password.

var userManager = IdentityUserManager.Create();

var resetToken = await userManager.GeneratePasswordResetTokenAsync(id);

var result = await userManager.ResetPasswordAsync(id, resetToken, newPassword);

Now based you your comments in the post, It could very well be that the Load User Profile in the host (assuming IIS) needs to be set to true .

Quoting this answer

I had the same issues except i was hosting on amazon ec2. i was able to resolve it by going to the application pool in IIS and (under advanced settings after a right click) setting process model - load user profile = true.

If that is the case and you don't have access to the server to be able to change that setting like you indicated in the comments, then there is not much else that the community can provide that has not already been covered in posts that encountered this particular issue.