发表新帖
发表新帖

Federated Authentication on Azure

后端 未结
关注
5 1030
面向向阳花
面向向阳花 2020-12-08 10:39

I\'m using WIF (.net 4.5), and Azure Active directory for authentication. The website will sit on Azure.

Everything works as expected locally, however when I put it

相关标签:
5条回答
  • 爱一瞬间的悲伤
    2020-12-08 10:43

    If you are using forms auth. you can signout when you catch the exception and allow your users to login and create a valid cookie

    catch (CryptographicException cex)
{
    FormsAuthentication.SignOut();
}
    0 讨论(0)
  • 温柔的废话
    2020-12-08 10:50

    Simply clearing the cookies solved the whole problem for me in this case.

    0 讨论(0)
  • 有刺的猬
    2020-12-08 10:52

    The machine key shouldn't be there: Windows Azure generates one for you and makes sure it is identical on every instance in your role.

    About the error you're seeing: can you try clearing cookies?

    0 讨论(0)
  • 不要未来只要你来
    2020-12-08 10:53

    If you don't specify machineKey in configuration, Azure adds one. But if you create new version of your application and deploy it to Azure using VIP switching, Azure generates a new machine Key for the deployment in Staging (assuming your first deployment was to Production). (VIP switching is nice mechanism for deploying new version and then switching virtual IP addresses between Production and Staging).

    So basically one solution is letting Azure to generate the key but after VIP switch you have the problem back. To avoid it you can catch the CryptographicException in Global.asax in Application_Error handler, something like this:

    // Be sure to reference System.IdentityModel.Services
// and include using System.IdentityModel.Services; 
// at the start of your class
protected void Application_Error(object sender, EventArgs e)
{
    var error = Server.GetLastError();
    var cryptoEx = error as CryptographicException;
    if (cryptoEx != null)
    {
        FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
        Server.ClearError();
    }
}

    The SignOut() method causes the cookie is removed.

    Edit: updated info on generating machineKey as noted by @anjdreas.

    Another solution is to generate the machineKey, you can use IIS Manager to do it, see Easiest way to generate MachineKey for details. If you put the same key into all your web appliactions within Azure Web Role, the Azure deployment process will not replace it.

    0 讨论(0)
  • 清酒与你
    2020-12-08 11:05

    Asking all the users to clear all cookies wasn't really an option for me. On this site and also in the book "Programming Windows Identity Federation" I found a better solution (for me, anyways). If you're already uploading an SSL certificate to Azure, you can use that certificate to also encrypt your cookie on all Azure instances, and you won't need to worry about new machine keys, IIS user profiles, etc.

    0 讨论(0)
 看不清?
提交回复
热议问题