0

Now then all.

Having a little trouble with an MVC app using Identity and Access and Azure STS on AppHarbor giving "Key not valid in specified state" errors.

From what I gather, this is due to the default encrpytion using a machine key, which obviously doesn't work with a load balanced scnario.

I've tried replacing with an RSA class RsaEncryptedSessionSecurityTokenHandler : SessionSecurityTokenHandler

That picks up a pfx file key (created with SelfCert) to use, but whilst this works locally, it doesn't work on the appharbor site: System.Security.Cryptography.CryptographicException: Keyset does not exist I'm guessing that this is because the key is tied to more than just the file.

So how does one solve the original problem? Been searching for a day for solutions, but nothing seems to apply to this situation.

TIA

EDIT: I've tried adapting this code: SessionSecurityTokenHandler trying to decrypt SessionSecurityToken in RSA-encrypted cookie using DPAPI; why?

for use in the new WIF 4.5 stuff like this:

List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[]
{
    new DeflateCookieTransform()
    ,
    new RsaEncryptionCookieTransform
        (e
             .FederationConfiguration
             .IdentityConfiguration
             .ServiceCertificate)
    ,
    new RsaSignatureCookieTransform
        (e
             .FederationConfiguration
             .IdentityConfiguration
             .ServiceCertificate)
});

SessionSecurityTokenHandler sessionHandler =
    new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());

e.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);

But e.ServiceCertificate is always null.

Any thoughts?

Community
  • 1
  • 1
mrmoosehead
  • 145
  • 1
  • 8

1 Answers1

1

MachineKey does work - but you need to set the keys explicitly in config. Use the machineKey element for that.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Note that AppHarbor automatically injects machinekeys: http://blog.appharbor.com/2012/11/06/updates-to-default-machinekey-settings – friism Jan 09 '13 at 22:01
  • And there is no option to make that load balancing friendly? – leastprivilege Jan 10 '13 at 06:23
  • The machineKey stuff should be load-balancing friendly, the same keys are injected on all workers. You can read more here: http://blog.appharbor.com/2011/08/29/application-scaling-now-in-beta – friism Jan 10 '13 at 06:33
  • Then I don't understand that sentence: "From what I gather, this is due to the default encrpytion using a machine key, which obviously doesn't work with a load balanced scenario" – leastprivilege Jan 10 '13 at 10:22
  • you're right. But note that the machineKey's a usually (when not on AppHarbor) autogenerated, and different autogenerated keys will not work in a loadbalanced setup. – friism Jan 10 '13 at 18:46
  • fixed machine keys are always a pre-requisite for load balancing. – leastprivilege Jan 10 '13 at 19:10
  • sorry all, hadn't seen your comments. I've tried the manual machine key insertion, but that still causes the 'key not valid in specified state' error when a new deploy happens. As I understand it, if you've got a manual key, then this shouldn't happen? – mrmoosehead Feb 20 '13 at 09:27