We are trying to use DPAPI in our OWIN-based WebAPI self-hosted app. The app is configured for Windows authentication and runs as a service under SYSTEM account:
var listener = (HttpListener)app.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes = AuthenticationSchemes.Ntlm;
In the controller we do something like this:
public IHttpActionResult SomeAction()
{
var currentWindowsIdentity = (WindowsIdentity)this.User.Identity;
// load user profile for currentWindowsIdentity and impersonate
using (UserProfile.Load(currentWindowsIdentity)) // UserProfile is a wrapper arounf LoadUserProfileW
using (currentWindowsIdentity.Impersonate())
{
ProtectedData.Unprotect(…);
}
}
The call to ProtectedData.Unprotect fails with CryptographicException: Key not valid for use in specified state.
If the same user that is invoking the action is logon on to the machine where the app is running, then ProtectedData.Unprotect succeeds. It appears that LoadUserProfileW does not load some profile data related to DPAPI.
Are we missing something, or is it by design?
