WSFederationAuthenticationModule (WSFAM) CryptographicException auth failure


As you may have guessed from my recent posts, I was working on a first stab at some WIF work recently.. and the app was failing with the following error.

The system cannot find the file specified.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The system cannot find the file specified.]

System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +681
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +121

[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]

Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +1278004
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +74
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +571
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +103
Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +136
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +639
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1096470
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171


Now, if you recall my post from Jan 4, 2006 .. what?? You don’t ? Here  it is..  Crypt* calls failing?

OK  - so I assumed that Cryptography.ProtectedData.Protect  calls into CryptProtectData and is failing with ‘file not  found’.  From the previous post we can recall that the Crypt call reads into the reg and file system but how does it get the profile path to read from?

First, to get the user the Cryto call is being made under.. OK so I went the hard way – I hooked a debugger to w3wp.exe and when it made the call I grabbed the thread token.  It was some crazy SID  “S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415”

Not a known SID , but some research on “S-1-5-82”   shows that the its a new IIS7 App pool SID. See for more information.


OK cool. So why is it failing?  I had an app pool defined with a service account and the account was set to load the profile.


After looking into it more ( ok debugging the calls ) I saw it makes a call to look for this key in HKLM:


kd> du 000000000344dd40
00000000`0344dd40  "Software\Microsoft\Windows NT\Cu"
00000000`0344dd80  "rrentVersion\ProfileList\S-1-5-8"
00000000`0344ddc0  "2-3006700770-424185619-174548836"
00000000`0344de00  "4-794895919-4004696415"


Well – that doesnt exist, since its the magic AppPool SID.. but wait. after thinking , why wasnt it using the service account I had setup for the app? Doh!!! The app wasn’t cofigured in the apps application pool ( under Basic Settings ) !


Argh. Anyway… it may help someone in the future…so here it is.




Key :adfs geneva