WSFederationAuthenticationModule (WSFAM) CryptographicException auth failure
As you may have guessed from my recent posts, I was working on a first stab at some WIF work recently.. and the app was failing with the following error.
The system cannot find the file specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[CryptographicException: The system cannot find the file specified.]
System.Security.Cryptography.ProtectedData.Protect(Byte userData, Byte optionalEntropy, DataProtectionScope scope) +681
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte value) +121
[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte value) +1278004
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte cookie, Boolean outbound) +74
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +571
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +103
Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +136
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +639
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1096470
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
Now, if you recall my post from Jan 4, 2006 .. what?? You don’t ? Here it is.. Crypt* calls failing?
OK - so I assumed that Cryptography.ProtectedData.Protect calls into CryptProtectData and is failing with ‘file not found’. From the previous post we can recall that the Crypt call reads into the reg and file system but how does it get the profile path to read from?
First, to get the user the Cryto call is being made under.. OK so I went the hard way – I hooked a debugger to w3wp.exe and when it made the call I grabbed the thread token. It was some crazy SID “S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415”
Not a known SID , but some research on “S-1-5-82” shows that the its a new IIS7 App pool SID. See http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx for more information.
OK cool. So why is it failing? I had an app pool defined with a service account and the account was set to load the profile.
After looking into it more ( ok debugging the calls ) I saw it makes a call to look for this key in HKLM:
kd> du 000000000344dd40
00000000`0344dd40 "Software\Microsoft\Windows NT\Cu"
Well – that doesnt exist, since its the magic AppPool SID.. but wait. after thinking , why wasnt it using the service account I had setup for the app? Doh!!! The app wasn’t cofigured in the apps application pool ( under Basic Settings ) !
Argh. Anyway… it may help someone in the future…so here it is.
Key :adfs geneva