Home/ Questions/Q 8043135
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T04:48:44+00:00

I’ve been using WIF to authenticate our new website, the STS is based upon

  • 0

I’ve been using WIF to authenticate our new website, the STS is based upon the starter-sts implementation.

To enable this to work correctly on out load balanced environment I’ve used the following in the global.asax to override the default certificate behaviour.

void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
        {
            List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
            { 
                new DeflateCookieTransform(), 
                new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
                new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
            });

            SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
        }

This is all working just find and people have been successfully using the system, however every now and then we get a blast of :

ID1014: The signature is not valid. The data may have been tampered with.

in the event logs, so I switched on WIF tracing and saw the following mentioned in the log.

ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

I have a feeling this is leading me down a dark alley as I thought because I’d changed the implementation to use RSA this shouldn’t affect me.

Any ideas to help me?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I changed the implementation to amend the timeout in the ontokencreated method. This prevents the reissue.

    protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args)
        {
            args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
                args.SessionToken.ClaimsPrincipal,
                args.SessionToken.Context,
                DateTime.UtcNow,
                DateTime.UtcNow.AddDays(365),
                true
                );
            //base.OnSessionSecurityTokenCreated(args);
        }
    • 0