The data protection operation was unsuccessful on

2019-01-17 21:33发布

站内问答 / 前沿技术
638 7 6

I'm trying to implement password reset on an OWIN/Katana based ASP.NET MVC website running in Azure.

It works fine when run locally but fails in production.

I create a UserToken Provider

userManager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(provider.Create("PasswordReset"))

But when I attempt to generate the token as follows 

var resetToken = await UserManager.GeneratePasswordResetTokenAsync(user.Id);

I get following exception.

System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating. at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) at System.Security.Cryptography.DpapiDataProtector.ProviderProtect(Byte[] userData) at System.Security.Cryptography.DataProtector.Protect(Byte[] userData) at Microsoft.Owin.Security.DataProtection.DpapiDataProtector.Protect(Byte[] userData) at Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider 2.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.AspNet.Identity.UserManager`2.d__e9.MoveNext()

7条回答
甜甜的少女心
2楼-- · 2019-01-17 21:53

This error happens for me on a shared hosting provider, at the line:

var provider = new DpapiDataProtectionProvider("SITENAME");

The solution was quite simple. First change the above line to this:

var provider = new MachineKeyProtectionProvider();

Then create a new file, which I have in my Utilities namespace, like so:

using Microsoft.Owin.Security.DataProtection;
using System.Web.Security;

namespace <yournamespace>.Utilities
{
    public class MachineKeyProtectionProvider : IDataProtectionProvider
    {
        public IDataProtector Create(params string[] purposes)
        {
            return new MachineKeyDataProtector(purposes);
        }
    }

    public class MachineKeyDataProtector : IDataProtector
    {
        private readonly string[] _purposes;

        public MachineKeyDataProtector(string[] purposes)
        {
            _purposes = purposes;
        }

        public byte[] Protect(byte[] userData)
        {
            return MachineKey.Protect(userData, _purposes);
        }

        public byte[] Unprotect(byte[] protectedData)
        {
            return MachineKey.Unprotect(protectedData, _purposes);
        }
    }
}

Et voila! Problem solved. Just remember, in your password reset controller method, you will also have to use this provider, otherwise you will get an Invalid Token error.

查看更多
0人赞 添加讨论(0) 举报
Juvenile、少年°
3楼-- · 2019-01-17 21:56

I put this one on ice for a while but was forced to come back to it. I found the solution here: Generating reset password token does not work in Azure Website

查看更多
0人赞 添加讨论(0) 举报
对你真心纯属浪费
4楼-- · 2019-01-17 21:57

Getting the UserManager from the Owin Pipeline, as its set in App_Start/Startup.Auth.cs, works on Azure. I'm unsure as to how this works specifically. The DpApi should work in Azure with the solution described in the first link.

If the DpApi has a static machine key set in Web.config all server machines will be able to decrypt the encrypted data created by another machine in your webfarm is the understanding behind this.

(code as given in the standard template - from AccountController.cs)

 private UserManager userManager;
    public UserManager UserManager
    {
        get { return userManager ?? HttpContext.GetOwinContext().GetUserManager<UserManager>(); }
        private set { userManager = value; }
    }
查看更多
0人赞 添加讨论(0) 举报
ら.Afraid
5楼-- · 2019-01-17 22:01

I have the same problem when I try to generate token with ASP .Net identity and custom login function in Web API.

"The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."

What I did is just simply create an Application Setting called WEBSITE_LOAD_USER_PROFILE in Microsoft Azure and set it to 1. That solution works for me.

You can see the detail here

查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
6楼-- · 2019-01-17 22:01

I found a solution. I'm not exactly sure if all steps are necessary to it work, but now my app works perfectly:

1.- Update your web.config to support securityTokenHandlers

<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

in the configSections node. And

  <securityTokenHandlers>
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
                System.IdentityModel, Version=4.0.0.0, Culture=neutral,
                PublicKeyToken=B77A5C561934E089" />

    <add
      type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,
          System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
          PublicKeyToken=B77A5C561934E089">
      <sessionTokenRequirement lifetime="00:30:00"></sessionTokenRequirement>
    </add>
  </securityTokenHandlers>

</identityConfiguration>

as a regular node. 2.- In your Startup.Auth.cs file, update your ConfigureAuth(IAppBuilder app) like this:

public void ConfigureAuth(IAppBuilder app)
        {

            UserManagerFactory = () =>
            {
                var userManager = new UserManager<SIAgroUser>(new UserStore<UserType>(new SIAgroUserDbContext()));

                IDataProtectionProvider provider = app.GetDataProtectionProvider();

                //userManager.UserTokenProvider = new Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider<UserType>(provider.Create("PasswordReset") );
                if (provider != null)
                {
                    userManager.UserTokenProvider = new DataProtectorTokenProvider<UsertType, string>(provider.Create("PasswordReset"));
                }

                return userManager;
            };

            OAuthOptions = new OAuthAuthorizationServerOptions
            {
                TokenEndpointPath = new PathString("/Token"),
                Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
                AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
                AllowInsecureHttp = true
            };
            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Enable the application to use bearer tokens to authenticate users
            app.UseOAuthBearerTokens(OAuthOptions);

            // Uncomment the following lines to enable logging in with third party login providers
            //app.UseMicrosoftAccountAuthentication(
            //    clientId: "",
            //    clientSecret: "");

            //app.UseTwitterAuthentication(
            //    consumerKey: "",
            //    consumerSecret: "");

            //app.UseFacebookAuthentication(
            //    appId: "",
            //    appSecret: "");

            //app.UseGoogleAuthentication();



        }

3.- Clean up the constructor of your Startup class like this:

static Startup()
{
   PublicClientId = "self";
}

That worked for me :) I hope it works for you too

查看更多
0人赞 添加讨论(0) 举报
ら.Afraid
7楼-- · 2019-01-17 22:11

If the host server is a virtual machine it could be exactly what the error message says. Check if your Application Pool in IIS really has Load User Profile set to true like the exception says:

enter image description here

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)