I'm currently authenticating across sub-domains using Forms Auth. So I have the following servers:
site1.domain.com
site2.domain.com
and they're able to share a Forms Auth cookie. Here is a link to how that's possible: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=VS.100).aspx
But now I am adding Claims to my application, and it seems that when I call this line:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
that there is a "FedAuth=" cookie written which contains the Claims serialized and encrypted.
But now I can not set a FedAuth cookie in my one sub-domain (site1) and have the other sub-domain read it (site2). I get this error:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
Before, with Forms Auth, this was not an issue, it just worked.
What do I need to do in order to share these FedAuth cookies between sub-domains that all use the same domain?
And yes, both site's web.config file have the same machineKey. And the loadProfile setting on the Application pool for each site is set to false.
I want to be able to do this without involving an STS. An STS introduces overhead and complexity, and I don't see any reason why you should not be able the Claims that are wrapped into the FedAuth cookie sub-domain friendly.
Thanks, Mike
