Unable to decrypt claims cookie from .NET 4.5 to .

2019-09-09 03:09发布

问题:

I have been trying to get the following scenario to work for around a week now with no luck. I have 2 applications, a .NET 4.5 application that is claims enabled, which is working perfectly well (works with other .NET 4 and up applications); and a legacy Intranet system built using WebForms .NET 3.5. The legacy application CANNOT be upgraded to a later version of .NET (would be so much easier).

What I want to happen is that when I login on the .NET 4.5 application, I need to be authenticated when I visit the .NET 3.5 application. I have ensured that the Cookie Names between the applications are the same, and that the machineKey values in the web.config are the same (I am using MachineKeySessionSecurityTokenHandler to ensure that the encyrpted cookie values are the same even in a Web Farm scenario); however what happens is that when I move to the .NET 3.5 application I get the following error from the SymmetricEncryptionFormatter class:

ID0006: The input string parameter is either null or empty.Parameter name: value

I have tried changing the MachineKey keys (decryptionkey/validationkey/validation/decryptiom) to a variety of different combinations (ensuring that they are consistent between the 2 sites). I can see that the same cookie, with the same cookie value is visible when I go to the 2 sites. I think that the issue may be related to the Crytographic changes between .NET 3.5 & .NET 4.5 (see here [http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx])

Does anyone have any ideas as to what may be causing this?

Key entries from .NET 4.5 application Web.config:

<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />  
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>

<authentication mode="None" />

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" name="TestName" />
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:51318/" realm="http://localhost:57083/" persistentCookiesOnPassiveRedirects="true" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

Key entries from .NET 3.5 application Web.config:

<authentication mode="None"/>

<machineKey decryptionKey="CC510DF4..." validationKey="BEAC835EEC..." />

<microsoft.identityModel>
<service>
  <securityTokenHandlers>
    <!-- Replace the SessionSecurityTokenHandler with our own. -->
    <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    <add type="MachineKeySessionSecurityTokenHandler, App_Code"/>
  </securityTokenHandlers>
</service>
</microsoft.identityModel>

<microsoft.identityModel.services>
<federationConfiguration>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:51318/" realm="http://localhost:57083/" requireHttps="false"/>
<cookieHandler requireSsl="false" name="TestName"/>
</federationConfiguration>
</microsoft.identityModel.services>

回答1:

The internal format of the cookie has changed between WIF and .NET 4.5. You can't share them between the versions.

Rather point both apps to the same STS and let each app use their own session cookie.