WIF- ID1014: The signature is not valid. The data may have been tampered with

Asked 28/5, 2012 at 7:13 Answered 7/6, 2012 at 20:55

Solved wif federated-identity windows-identity ws-federation

I've been using WIF to authenticate our new website, the STS is based upon the starter-sts implementation.

To enable this to work correctly on out load balanced environment I've used the following in the global.asax to override the default certificate behaviour.

void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
        {
            List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
            { 
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
            });

            SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
        }

This is all working just find and people have been successfully using the system, however every now and then we get a blast of :

ID1014: The signature is not valid. The data may have been tampered with.

in the event logs, so I switched on WIF tracing and saw the following mentioned in the log.

ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

I have a feeling this is leading me down a dark alley as I thought because I'd changed the implementation to use RSA this shouldn't affect me.

Any ideas to help me?

Glaucous answered 28/5, 2012 at 7:13 Comment(1)

Thanks for the reply, doubled checked all that and it's working fine can see breakpoints being trapped and also tracing is outputting. I've got FederatedAuthentication.ServiceConfigurationCreated += onServiceConfigurationCreated; In the application start. – Glaucous 1/6, 2012 at 21:22

I changed the implementation to amend the timeout in the ontokencreated method. This prevents the reissue.

protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args)
        {
            args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
                args.SessionToken.ClaimsPrincipal,
                args.SessionToken.Context,
                DateTime.UtcNow,
                DateTime.UtcNow.AddDays(365),
                true
                );
            //base.OnSessionSecurityTokenCreated(args);
        }

Glaucous answered 7/6, 2012 at 20:55 Comment(3)

What does this override do exactly in terms of the exception you were getting? – Gonococcus 23/10, 2012 at 1:33

I'm sorry I can't remember, I'd have to take a look in the codebase. – Glaucous 23/10, 2012 at 9:51

Thanks, if you get a chance, could you let me know? – Gonococcus 23/10, 2012 at 9:52

The browser cookies are encrypted with "old" mechanism - DPAPI. Therefore, when the server tries to decrypt the cookies, it fails - your code use RSA now, not DPAPI.

As a workaround, clear the browser cache, and the application will start running as expected.

Rolanderolando answered 28/5, 2012 at 20:49 Comment(1)

We have never used the other system as we are in a load balanced environment. – Glaucous 29/5, 2012 at 11:53

I changed the implementation to amend the timeout in the ontokencreated method. This prevents the reissue.

protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args)
        {
            args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
                args.SessionToken.ClaimsPrincipal,
                args.SessionToken.Context,
                DateTime.UtcNow,
                DateTime.UtcNow.AddDays(365),
                true
                );
            //base.OnSessionSecurityTokenCreated(args);
        }

Glaucous answered 7/6, 2012 at 20:55 Comment(3)

What does this override do exactly in terms of the exception you were getting? – Gonococcus 23/10, 2012 at 1:33

I'm sorry I can't remember, I'd have to take a look in the codebase. – Glaucous 23/10, 2012 at 9:51

Thanks, if you get a chance, could you let me know? – Gonococcus 23/10, 2012 at 9:52

Did you try setting the loadUserProfile option to true? Does the problem still occur?

(Select the Application pool in IIS and then click "Advanced Settings" on the right. "Load User Profile" is in the "Process Model" section).

Shotten answered 28/5, 2012 at 19:16 Comment(1)

We haven't tried this purely because we are using RSA not DPAPI. – Glaucous 29/5, 2012 at 11:54

The intermittent occurrence of your error, combined with the DPAPI exception showing up in your traces suggests to me that you aren't actually overriding the cookie transform, and your service is still using DPAPI.

This might be a long shot, but in your code snippet I noticed your method override "onServiceConfigurationCreated" starts with a lower case o. Such a typo would indeed prevent you from properly overriding default WIF behavior.

Oud answered 1/6, 2012 at 20:7 Comment(0)

Recommended topics

Hot tags