WIF- ID1014: The signature is not valid. The data may have been tampered with

Question

I\'ve been using WIF to authenticate our new website, the STS is based upon the starter-sts implementation.

To enable this to work correctly on out load balanced environ

Answer 1

Did you try setting the loadUserProfile option to true? Does the problem still occur?

(Select the Application pool in IIS and then click "Advanced Settings" on the right. "Load User Profile" is in the "Process Model" section).

Answer 2

The browser cookies are encrypted with "old" mechanism - DPAPI. Therefore, when the server tries to decrypt the cookies, it fails - your code use RSA now, not DPAPI.

As a workaround, clear the browser cache, and the application will start running as expected.

Answer 3

The intermittent occurrence of your error, combined with the DPAPI exception showing up in your traces suggests to me that you aren't actually overriding the cookie transform, and your service is still using DPAPI.

This might be a long shot, but in your code snippet I noticed your method override "onServiceConfigurationCreated" starts with a lower case o. Such a typo would indeed prevent you from properly overriding default WIF behavior.

Answer 4

I changed the implementation to amend the timeout in the ontokencreated method. This prevents the reissue.

protected override void OnSessionSecurityTokenCreated(Microsoft.IdentityModel.Web.SessionSecurityTokenCreatedEventArgs args)
        {
            args.SessionToken = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
                args.SessionToken.ClaimsPrincipal,
                args.SessionToken.Context,
                DateTime.UtcNow,
                DateTime.UtcNow.AddDays(365),
                true
                );
            //base.OnSessionSecurityTokenCreated(args);
        }