Configuring DataProtectionSecurityStateEncoder, to resolve CryptographicException in Web Farm

Question

We have an Authenticated WCF service running in a web farm that is intermittently throwing this error:

MessageSecurityException: The SecurityContextSecurityToken has an invalid Cookie. The following error occurred when processing the Cookie: 'Error decoding the Cookie element of SecurityContextSecurityToken.'. ---> CryptographicException: The DataProtectionSecurityStateEncoder is unable to decode the byte array. Ensure that a 'UserProfile' is loaded, if this is a 'web farm scenario' ensure all servers are running as the same user with the roaming profiles or provide a custom SecurityStateEncoder'. ---> CryptographicException: Key not valid for use in specified state.

I've spent a fair bit of time digging into the above, and I believe I understand the error.... however I can't find any information on how to configure the DataProtectionSecurityStateEncoder.

I would like to configure the encoder to use the local computer settings (we've sync'd machine keys, etc) but I'm completely stuck. Can anyone point me in the right direction?

Answer 1

An update with a possible solution, I believe we may be able to resolve this by:

protected void Application_BeginRequest(object sender, EventArgs e)
{
    OperationContext.Current.Host.Credentials.SecureConversationAuthentication.SecurityStateEncoder = new DataProtectionSecurityStateEncoder(false);
}

We are still in the process of testing this, however this issue has been parked whilst we resolve some high priority stuff that has come up.

Noting here in case anyone else has a similar issue, and can't find a solution (and who, like us, has a web farm running outside of a domain).

I will come back and update this answer when we return to the work.