1
我目前使用Forms Auth驗證跨子域。所以我有以下服務器:是否可以在子域中使用WIF SessionAuthenticationModule Cookie?
site1.domain.com
site2.domain.com
他們能夠共享Forms Auth cookie。這裏是一個鏈接,如何這是可能的: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=VS.100).aspx
但現在我加入聲明爲我的應用程序,它似乎是,當我把這個行:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
,有一個「FedAuth =」所寫入的cookie包含序列化和加密的聲明。
但現在我無法在我的一個子域(site1)中設置FedAuth cookie,並讓其他子域讀取它(site2)。我得到這個錯誤:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
之前,與形式身份驗證,這不是一個問題,它只是工作。
爲了在所有使用相同域的子域之間共享這些FedAuth cookie,我需要做些什麼?
是的,這兩個網站的web.config文件具有相同的machineKey。並且每個站點的應用程序池上的loadProfile設置都設置爲false。
我希望能夠做到這一點而不涉及STS。 STS引入了開銷和複雜性,我看不出有什麼理由不應該將FedAuth cookie子域中的索賠包裝好。
謝謝, 邁克