Home » .Net Framework

ADFS 2.0 SSO The data protection operation was unsuccessful

Hi all,

I am using Identity Training Kit for VS 2010 sample Labs\WebSitesAndIdentity\Source\Ex3-FederatingADFSv2

and I have error:


Server Error in '/ClaimsEnableWebSite' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +456
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +54

[InvalidOperationException: ID1074: ???????? ?????????? CryptographicException ??? ??????? ??????????? ???? Cookie ? ?????????????м API ProtectedData (?????????????? ???????? ?м. ? ?????? ??????????? ??????????). ??? ????????????? IIS 7.5 ??? ?????????? м???? ???? ??????? ???????м ??? ????м???? ???? ?????????? loadUserProfile ???????? FALSE. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +145
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +47
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +533
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +89
Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +123
Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +38
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +85
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +583
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Version Information:  Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1


Please help.

Any assistance would be greatly appreciated.


7 Answers Found


Answer 1

As the error message says - you need to load the profile in IIS - you can set this in the setting for the AppPool in IIS manager.

Answer 2

Open your IIS Manager Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings. After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app. Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.

Answer 3

Thanks guys! This is the right advice!

Answer 4

Does this work for IIS 6 as well? According to our hosting company this setting is not possible. Anyone know a work around?




Answer 5

Is your site running under a specific user, i.e. not network service, if so I think your error might be the same as the one i was getting see http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/44901cb9-c995-4870-88d7-b29893f00828

If you cant use a certificate, in the same example there is some code to use the machine key for encrypting the cookie instead.

Hope this helps


Answer 6

Thanks! It worked, had some problems with the mystic error "Failed to Execute URL.". But solved it by adding for static file types that should be supported:



      <add verb="*" path="*.gif" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.png" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.css" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.js" type="System.Web.StaticFileHandler" />



Answer 7

Funnily enough i had the "Failed to execute error" and it was down to having

      <deny users="?" />

missing from my config file. I guess there is some logic there because if we are using the WIF stuff and sending all files thru it then it will be expecting an authentication token unless we have specified the location to allow access to all.





I'm trying to implement Idp Initiated SSO for my current setup (explained below).

Idp <-> ADFS 2.0 (Fp-STS) <-> RP App (using WIF)

In the ADFS 2.0 (Fp-STS) I have configured the Idp to pass the SAML response to https://<ADFS FP-STS>/adfs/ls/ 
I have configured the RP App (its a sample Claims aware webapp from WIF SDK) to read the 'Name' and 'Role' from Fp-STS

From the other posts, I found that IdpInitiated SSO is not possible with WIF RP App (since it uses WS-*) using ADFS 2.0; under the hood it tries RP Initiated SSO.

So I tried my setup with RP Initiated SSO, and below are the steps
1. Browser link: https://<RP App>/ClaimsAwareWebApp/default.aspx
2. Since RP is set to point to ADFS, I've been redirected to ADFS (FP-STS) HomeRealmDiscovery page, where i get list of all ClaimsProvider Trust that are configured in ADFS
3. I select Idp from the list
4. Browser redirects to Idp site, where I key in the credentials and get authenticated and the browser is redirected to ADFS (Fp-STS) url: https://<ADFS FP-STS>/adfs/ls/ 

On reaching this URL, i get the below message. with no sign of SAML response encoding / decoding

MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.
Additional data: b4bfbf12-87d1-4302-bd2b-682adc70885e

With Trace Event error
Cannot get WSFederation/SAMLP message from HTTP query. The following errors occured when trying to parse incoming HTTP request:
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context

But the very same thing when i try to do it from the Idp side, from the trace log i could see the encrypted SAML response is been received and decrypted.

Note: The Claims supplied by the Idp doesn't match any of the default AD claims in ADFS, so during the Claims provider and Relying party configuration I have not included any Claim rules and left blank.


I am testing IDP initiated sign-on from ADFS 2 to salesforce.com. I have been trying unsuccessfully to pass the Mail attribute to salesforce as the User ID. I have extracted the SAML assertion using Fiddler and put it into salesforce's SAML validator and it passes all checks except the most important one ie it can't find a username or Federation ID.

There is definitely an email address entered in Active Directory for my test user. Can anyone shed any light on why this might be failing ?





Is it possible to achive identity provider initiated SAML 2.0 SSO with ADFS 2.0?


Here is the scenario

ADFS 2.0 is configured with Relying Party Trust. RP is a .NET WIF claims aware application

ADFS 2.0 is also configured with 1 AD and multiple claims provider trusts. These claims providers are SAML 2.0 Identity Providers wants to the .NET WIF application

Can the SAML 2.0 Identity Providers POST a SAML 2.0 token to ADFS 2.0 endpoint url and in turn ADFS forwarding that request to RP?




Hi Guys,

i need help on implementing idp initiated sso using ADFS 2.0.

please let me know how do we implement this and what are all the configuration to be done in ADFS 2.0 console to achieve this.

its very urgent for me, kindly revert back if any one have done this before.



We are trying to configure Tivoli to send an IdP Initiated SSO request to ADFS. The request successfully comes to our ADFS server and the claims are processed. We use a SQL Attribute store to perform some logging and we can see that the request is processed correctly. However, the user is not redirected to the RP. They are presented with the IdPInitiatedSignOn.aspx page. When the user selects one of the RP applications and clicks 'GO' a request is sent to Tivoli. Tivoli throws the error:

FBTSML238E The SAML message signature could not be validated.

The problem is that ADFS is not signing the request. I verified that with Fiddler. I have looked at the configuration for ADFS both in the GUI and in PowerShell and haven't found a setting to force ADFS to sign this request. Unfortunately, the IdP staff has not found a way to allow Tivoli to accept an unsigned request.

The SAMLREQUEST Parameter looks like this:

<samlp:AuthnRequest ID="id-d293a2d0-6dc1-4fba-b0f9-f1895bd52dfd" Version="2.0" IssueInstant="2010-12-20T17:13:50.221Z" Destination="https://partnerURL" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">Our Entity ID</Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>

The RelayState is set to a GUID.

Is there any way to have ADFS sign this request?





Just curious, even SSO Master Secret Server was installed and configured on SQL Cluster, is it still necessary to installed both Administration Module and SSO Master Secret Server on each BizTalk 2009 server in the farm, in order to configure each BizTalk server to join an existing SSO System?




Hello all forum Members,

This is my question related to object oriented programming concept.

I can't find a place for it to post.

I think it is the related place for it. so that, i am posting it here.

I have a doubt in mind related to object oriented programming concept called as "Data

Can you tell me the difference beteween Data Hiding & Data Protection ?
Are they same or is there any difference between them?

If there is difference, can you explain it to me?

I know Data Hiding concept.
It means that data is concealed within a class, so that it can't be accessed by functions outsid e the class even by mistake.

I want your views on above issue.

Please give your reply.

Thanks in advance.



Hello all forum Members,

This is my question related to object oriented programming concept. I can't find a place for it to post.

I think it is the related place for it.

so that, i am posting it here.

I have a doubt in mind related to object oriented programming concept called as "Data Protection".

Can you tell me the difference beteween Data Hiding & Data Protection ? Are they same or is there any difference between them?

If there is any difference, can you explain it to me?

I know Data Hiding concept.

It means that data is concealed within a class, so that it can't be accessed by functions outsid e the class even by mistake.

I want your views on above issue.

Please give your reply.

Thanks in advance.


I have an issue with Data Protection Manager server SQL Database.  The DPM server can't connect to the SQL database.  It appears to relate back to an error in the Application event log:  "A page that should have been constant has changed (expected checksum: 696dcf38, actual checksum: 696dc738, database 7, file 'C:\Program Files\Microsoft DPM\DPM\DPMDB\MSDPM2010RC.mdf', page (1:20607)). This usually indicates a memory failure or other hardware or OS corruption."  I am also now getting an error 3313 that says "During redoing of a logged operation in database 'DPMDB', an error occurred at log record ID (171:123502:2). Typically, the specific failure is previously logged as an error in the Windows Event Log service. Restore the database from a full backup, or repair the database."  I'm running DPM 2010 with SQL 2008 on Windows Server 2008 R2.  Is there anything I can do to repair the database, or am I out of luck?


FEITIAN Technologies Co Ltd., announces ROCKEY update offering Flash .swf file protection. 


Beijing, China, August 25th / FEITIAN Technologies Co Ltd., (www.ftsafe.com), a leading software security company specializing in authentication and software protection products, today announces the update the ROCKEY 4 model will provide .swf protection.


ROCKEY's of family products are designed to help software developers to protect their software's intellectual property rights through ROCKEY's advanced hardware based protection system thus preventing revenue loss due to software piracy. The small device can be easily distributed and applied to software. ROCKEY's user friendly integration tools make protecting software copyright easier than ever.  And now they will offer even further protection covering Flash .swf files.


As everyone knows piracy is a huge industry, and it is taking away needed profits from software developers.  Studies from the BSA (Business software Alliance) have shown that the piracy rate in 2009 have risen to an astonishing rate of 43%.  That would mean that nearly half of all software that is used is pirated.  Measures need to be put in place to slow down and eventually stamp out piracy.


Software and computers have become a daily part of many people’s lives around the world.  Due to this, software spans many industries.  This can range from computers, gaming, government, business to education.  In the education industry piracy can affect the learning and benefit of students, thus effecting everyone’s future.


Flash files can be posted on the Internet and viewed by anyone that has a flash player.  But what if you wanted to use Flash for products?  How could it be protected?  Using the ROCKEY 4 you will have complete protection.  Once the file is posted on the Internet it can only be viewed if the software protection dongle (USB) is inserted into the user’s computer.  The dongle stores part of the code and together with the software it is able to be viewed.  No dongle, no software, no flash. 


When educational publications are pirated it takes away investment from the educational industries, ending in loss and less educational products for students.  The future of technology is bringing us easier and more interactive ways to learn and helping to educate the world.  This is a worldwide problem that must be handled.  FEITIAN’s products offer the perfect solution, stopping piracy in its tracks.  Through the use of the upgrade educational companies will be able to protect their Flash .SWF files, offering an innovative way for children and students to learn. 


FEITIAN’s main goal for the ROCKEY line is to stamp out piracy and let software developers do what they should be doing, developing new software for the world to benefit from


For more information on FEITIAN’s ROCKEY product line visit their site at www.ftsafe.com. 


“Through the update of our ROCKEY product line software education companies will have freedom to produce their applications using flash, a widely adopted product used by most of the world.”  Said Mr. Liu FEITIAN’s International Operations Director  “This will offer more potential and other avenues for profits and for education without the fear of software being stolen and copied”.




FEITIAN is a leading supplier of strong authentication, e-signature, PKI, software protection and Smart Card related products.  Since its establishment in 1998 FEITIAN has quickly become one of the world leaders in the industry providing solutions and products around the world.  FEITIAN is dedicated to being the leading innovator of smart card and chip operating based security technologies and applications.  For more information about FEITIAN please visit www.ftsafe.com.  



I reinstalled the StockTrader app onto one of our corporate testnet Windows 2003 Servers. I got to pp. 16-17, configuring the IIS Business Service to remotely activate the Order Processor Service via the OrderMode settings for Business Services in the .NET StockTrader Configuration Service doc when I received this error 'An attempt to update the configuration key was unsuccessful'. I was updating the Change Value setting from Sync_InProcess to Async_Msmq. MSMQ is installed. I also was successful in logging on and performing multiple stock transactions remotely from a workstation in another building but am still just beginning to familiarize myself with this incredible App. Very impressive Greg.

Note: Reinstalling onto Windows 2003 Server I also have not run up against the "Cannot Find Hosted Service Exception" error...yet.

Thanks in advance.


I have a few questions and will post each seperately.  I am also continuing to search docs and forums for better answers than I already have.

 When uninstalling ADFS 2.0, the ADFS website configuration in IIS (including AppPool & applications/virtual directories) is not cleaned-up and the ADFS 2.0 SSEE database is also not removed.

a.       Is this by design or other?  Is there another option to have the uninstaller clean-up the ancillary configurations?

b.      When doing a re-install of ADFS 2.0, a manual activity (now automated by us) must be accomplished to get the environment back to an installable configuration.


 Thanks in advance!


If we change a username in Active Directory then we can't authenticate using the changed username via the provided Passive Federation webpage unless we restart the ADFS server. Restarting the ADFS service seems insufficient. The user typically has already logged in when their username is changed, but signing them out doesn't seem to help

Obviously we can't just be restarting our ADFS server everytime someone changes their username - is there a way to overcome this limitation?


This is an interesting question, right now I have made my site ADFS aware using the STS wizard, this makes my user who is vising my web site to go to ADFS immediately for authentication, but I want my login button to take him there instead of it happening automatically.

How can I do this ? essentially I want to determine myself in server side page event whether user is logged in or not, if not then display generic page and then when he clicks on login then he should be taken to ADFS for authentication, I know I can check if he/she is authenticated or not, but how to stop the auto redirection and do it myself, also how to provide a logout option ??

Hi All

I recently tried to restore a section of a site using stsadm. I got a versioning error when i tried to install it. Now i can't access any of the pages at the site level i tried to install //localhost/ anything at //localhost/sites/ works fine. I tried a DB backup/restore. It didn't help.

When i look at the pages in Designer they give me an error "Server Error: The Url "http://localhost/_vti_bin/_vti_aut/author.dll" is not contained within a Windows Sharepoint Service site. Any help would be greatly appreciated. I've been searching forums all day and nothing seems to be working.



P.S. The section of the site i tried to restore was from a different site. It also contained a third party SP application called "K2".


Please Help me with this..

I install Microsoft Visual Studio 2008 Professional Edition but i can't use the database...

this is my log errors...


[01/09/11,17:54:05] Microsoft SQL Server 2005 Express Edition (x86): [2] Component Microsoft SQL Server 2005 Express Edition (x86) returned an unexpected value.

i'm not connected with the internet...

only SQL installation is my problem



I cant figure out a way to gracefully handle any and all unsuccessful attempts to connect to an ipaddress.  The code below is successful if the ipaddress exists and is reachable but if the user types in a nonexistent ipaddress or one in which the destination host is unreachable, it is not throwing a socket exception in the expected 5 seconds. Thank you.

private void buttonConnect_Click(object sender, EventArgs e)
     this.Cursor = Cursors.WaitCursor;
     Socketsender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
     int value = 5000;  // 5 second timeout
     Socketsender.ReceiveTimeout = value;

     ipHostInfo = Dns.GetHostEntry(textBoxIPAddress.Text);
     ipAddress = ipHostInfo.AddressList[0];

     //Create a TCP/IP socket
     remoteEP = new IPEndPoint(ipAddress, 50000);

     //Connect the socket to the remote endpoint.
     if (!Socketsender.Connected)

     Timer = new System.Windows.Forms.Timer();
     Timerh.Interval = 500;
     Timer.Tick += new EventHandler(GetDeviceList);

   catch (System.Net.Sockets.SocketException Socket_ex)



We are looking at deploying ADFS 2.0 is a component of an SSO solution. My question revolves around the approach for High Availability. We are already have a significant investment in BigIP, and do not use NLB at all. I am wondering if two (or more) ADFS services can share a single SQL Server data source without being configured as part of a NLB based "ADFS Farm". My intent is to share the common data between multiple ADFS service instances, then use BigIP to manage monitoring and access in more of an "Active / Active" profile. I would asume that user requests would need to be "sticky" to the ADFS instance by which they were validated. Is this true in the NLB scenario as well? I can certainly run a POC on this, and probably will, but I was hoping for some insight first.




I rarely deal with bitwise operations, but today I'm building a security system and decided to use an Enum to define the various operations that a particular object/entity would have avialable to any given user/group and slapped the FlagsAttribute on it. So now for any given user/group and a given object/entity I store one record in the database to define their permissions for said operations. Normally I would store one row for the given user/group for the given object/entity for each distinct operation, but I wanted to explore this I had in my head before I headed down the traditional route.

My Enum looks like this:




            Read = 1,

            Write = 2,

            Delete = 4


My database and data looks like this right now: (sql server)

All columns are of type int. What this data says is that for the object/entity with ID of 13 the user with ID of 4 has all permissions assigned (Read | Write | Delete)

ACLID     ObjectID     IdentityID     Allow     Permission

1             13              4                  null       7

So to the question: Is it possible, using bitwise logic, to also store a boolean value for each distinct operation the user/group is assigned into the column Allow and map between them properly? So for example for the above given row I need to store true or false for the Read, true or false for the Write, and true or false for the Delete and be able to re-hydrate each boolean value for their assigned operation in c# when it comes time to display these values in the UI. Examples of how to make this work are needed.

P.S. If its possible and easier to store these extra boolean data points into the Permission field and getting rid of the Allow field I'm all for that too.



I'm using EF 4.0 to manage database access for my application, however I also need stored procedures for other functions in my application that return complex types. If I use an asp.mvc application to access my entities and function imports  I have no issues what so over. Trying to migrate the same functionality to Silverlight with WCF Data Services is giving me no end of trouble.

I've added a service operation with the following code.


public IEnumerable<FoundFunds> SearchFunds(int? fundId, string fundName)


 return CurrentDataSource.SearchFunds(fundId, fundName);


note: I've simplified all code examples for clarity.

I'm able to acces this service opertion directly using the following url. So I know it works.


I've added the service reference to my Silverlight 4 project and use the following code to access the Service Operation.

Uri uri = new Uri(String.Format("{0}/SearchFunds?fundId={1}&fundName='{2}'", _context.BaseUri, FundId, FundName), UriKind.RelativeOrAbsolute);

_context.BeginExecute<FoundFunds>(uri, SearchFunds_Completed, null);

privatevoid SearchFunds_Completed (IAsyncResult result)


 SearchFoundFunds = _context.EndExecute<FoundFunds>(result).ToList();


When I execute this code I get the following error:

The closed type FoundFunds does not have a corresponding element settable property.

I have not been able to find any way to solve this. I've checked the complex type FoundFunds and all properties have get and sets. I've not been able to find any good information that shows me how to call Service Operations from Silverlight 4. Is there another way?

Silverlight 4 is dead in the water for us if there isn't a way for us to call Service Opertions. I know I could just build a standard WCF Service and create my own data object, but that is simply not an option. I have to use the Function Import that is provided by EF 4.0.

Any help would be greatly appreciated.




<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure