Home/ Questions/Q 4241598
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T03:19:46+00:00

I’m trying to run WIF Relying Party application on a shared host. They will

  • 0

I’m trying to run WIF Relying Party application on a shared host. They will not set the IIS Setting LoadUserProfile to true and as such I’m getting the following error:

Message: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread’s user context, which may be the case when the thread is impersonating. ExceptionStackTrace: at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) at Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value)

Is there anyway around this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, this is because you are using the default token encryption which relies on DPAPI. You can replace that with certficate based encryption. See here: http://msdn.microsoft.com/en-us/library/ff803371.aspx (scroll to “There is one further change to the application…” )

    The code is:

    void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
    var sessionTransforms =
        new List<CookieTransform>(
            new CookieTransform[] 
            {
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(
                    e.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(
                    e.ServiceConfiguration.ServiceCertificate)  
            });
    var readOnlyTransforms = sessionTransforms.AsReadOnly();
    var sessionHandler = new SessionSecurityTokenHandler(readOnlyTransforms);

    e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}

    and

    void Application_Start(object sender, EventArgs e)
{
    FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
}

    Both on the global.asax.cs

    BTW, this is also the “web farm friendly” way of configuring WIF, so it is machine (instance) independant. Windows Azure deployments are essentially web farms, so that’s why you see it in that chapter.

    Update: In newer versions the API has changed. The updated code would look like this

    void OnFederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
    var sessionTransforms = new List<CookieTransform>(
        new CookieTransform[]
            {
                new DeflateCookieTransform(),
                new RsaEncryptionCookieTransform(e.FederationConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(e.FederationConfiguration.ServiceCertificate)
            });
    var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());

    e.FederationConfiguration
        .IdentityConfiguration
        .SecurityTokenHandlers
        .AddOrReplace(sessionHandler);
}

    and

    protected void Application_Start()
{
    FederatedAuthentication.FederationConfigurationCreated += OnFederationConfigurationCreated;
}
    • 0