0

I am using WIF SSO for authentication in my website. Everything works perfect in development environment. But on deployment I got issue

Message: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating. ExceptionStackTrace: at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value)

Searching abt this issue leads me to this stackoverflow question Is it possible to run WIF without LoadUserProfile = True I added the code mentioned but now I am getting

Value cannot be null

I am getting e.ServiceConfiguration.ServiceCertificate ServiceCertificate null. My question is what kind of certificate is this and where can I define this in my config. Do I need to place the same certificate on ACS.

here is my config section

<microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="http://localhost:9494/" />
      </audienceUris>      
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://devworks-sb.accesscontrol.appfabriclabs.com/v2/wsfederation" realm="http://localhost:9494" requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <!--Following are the claims offered by STS 'https://devworks-sb.accesscontrol.appfabriclabs.com/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
          <!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />-->
          <!--<claimType type="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" optional="true" />-->
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="BE9D0A516BEC2BC820C23D5C2EA79F068C094382" name="https://devworks-sb.accesscontrol.appfabriclabs.com/" />
        </trustedIssuers>
      </issuerNameRegistry>      
    </service>   </microsoft.identityModel>

thanx

Community
  • 1
  • 1
ZafarYousafi
  • 8,640
  • 5
  • 33
  • 39

2 Answers2

2

First thing you mentioned that the problem occurred after deployment, is that right? In your web.config have you changed the audienceUris to http://whatever_service_name.cloudapp.net? 

<audienceUris>
    <add value="http://localhost:9494/" /> <== This is  wrong
 </audienceUris>

Next your question about certificate is NULL at e.ServiceConfiguration.ServiceCertificate, please verify the following:

A. Endpoint is added in your application Service Definition:

B. Certificate thumbprint is set in Service Configuration

C. Certificate is set in web.config which is correct above

D. Finally added the following in your web.config so certificate can be search by thumbprint:

<serviceCertificate>
   <certificateReference x509FindType="FindByThumbprint" findValue="CERT_THUMB" />
</serviceCertificate>

Study these two resources which will be very helpful:

http://www.jimandkatrin.com/CodeBlog/post/Troubleshooting-Azure-issues.aspx

http://blogs.msmvps.com/marcelmeijer/blog/2012/05/04/windows-azure-wif-access-control-acs/

AvkashChauhan
  • 20,495
  • 3
  • 34
  • 65
1

The root cause is likely to be you’re using DPAPI (the default configuration of WIF). Please try to do a few modifications for the application to work in Windows Azure. I would like to suggest you to check http://msdn.microsoft.com/en-us/IdentityTrainingCourse_WIFonWAZLab2010 for a tutorial.

Best Regards,

Ming Xu.

Ming Xu - MSFT
  • 2,116
  • 1
  • 11
  • 13