Home » .Net FrameworkRSS

ADFS 2.0 SSO The data protection operation was unsuccessful

Hi all,

I am using Identity Training Kit for VS 2010 sample Labs\WebSitesAndIdentity\Source\Ex3-FederatingADFSv2

and I have error:

 

Server Error in '/ClaimsEnableWebSite' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +456
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +54

[InvalidOperationException: ID1074: ???????? ?????????? CryptographicException ??? ??????? ??????????? ???? Cookie ? ?????????????м API ProtectedData (?????????????? ???????? ?м. ? ?????? ??????????? ??????????). ??? ????????????? IIS 7.5 ??? ?????????? м???? ???? ??????? ???????м ??? ????м???? ???? ?????????? loadUserProfile ???????? FALSE. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +145
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +47
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +533
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +89
Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +123
Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +38
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +85
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +583
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


Version Information:  Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

 

Please help.

Any assistance would be greatly appreciated.

 

7 Answers Found

 

Answer 1

As the error message says - you need to load the profile in IIS - you can set this in the setting for the AppPool in IIS manager.
 

Answer 2

Open your IIS Manager Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings. After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app. Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
 

Answer 3

Thanks guys! This is the right advice!
 

Answer 4

Does this work for IIS 6 as well? According to our hosting company this setting is not possible. Anyone know a work around?

Thanks,

Kristoffer

 

Answer 5

Is your site running under a specific user, i.e. not network service, if so I think your error might be the same as the one i was getting see http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/44901cb9-c995-4870-88d7-b29893f00828

If you cant use a certificate, in the same example there is some code to use the machine key for encrypting the cookie instead.

Hope this helps

 

Answer 6

Thanks! It worked, had some problems with the mystic error "Failed to Execute URL.". But solved it by adding for static file types that should be supported:

 

   <httpHandlers>

      <add verb="*" path="*.gif" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.png" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.css" type="System.Web.StaticFileHandler" />

      <add verb="*" path="*.js" type="System.Web.StaticFileHandler" />

   </httpHandlers>

 

Answer 7

Funnily enough i had the "Failed to execute error" and it was down to having

    <authorization>
      <deny users="?" />
    </authorization>

missing from my config file. I guess there is some logic there because if we are using the WIF stuff and sending all files thru it then it will be expecting an authentication token unless we have specified the location to allow access to all.

 

 

 
 
 

<< Previous      Next >>


Microsoft   |   Windows   |   Visual Studio   |   Follow us on Twitter