如何解决“密钥在指定状态下无效”的问题使用 Azure ACS 时出错?
我正在尝试让 OpenID 身份验证在我的 Azure ASP.NET MVC 3 应用程序中工作,并已按照 MVC 3 自定义登录示例 来执行此操作。在开发环境中一切正常,但在部署到 Azure 平台时则不然。
第一个问题始于身份验证,导致错误“密钥在指定状态下使用无效”。 此处的讨论指出应用程序需要配置为使用 RsaEncryptionCookieTransform 而不是默认的 DPAPI 。为了尝试解决这个问题,我添加了 在 Alik Levin 的博客上,但没有进一步说明,因为它描述了在开发中设置自签名证书(如上所述,这不是必需的),而不是在 Azure 中。
我没有尝试使用这种方法,而是尝试使用 Azure 中已有的 X.509 证书。我在 Windows Azure Management > 下找到了指纹访问控制服务>依赖方应用程序> (我的应用程序名称)>令牌签名证书>用于服务命名空间(X.509 证书)。然后,我将此引用添加到 web.config:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="8A417..." />
</serviceCertificate>
现在,我在应用程序启动时收到配置错误:
ID1024: The configuration property value is not valid. Property name: 'certificateReference' Error: 'ID1025: Cannot find a unique certificate that matches the criteria. StoreName: 'My' StoreLocation: 'LocalMachine' X509FindType: 'FindByThumbprint' FindValue: '8A417...''
我实际上需要更改加密方法来解决“密钥在指定状态下使用无效”错误吗?如果是这样,我如何使用Azure中已有的X.509证书来加密cookie?
I'm attempting to get OpenID authentication to work in my Azure ASP.NET MVC 3 application and have followed the steps in the MVC 3 Custom Login Sample to do so. Everything works fine in the development environment but not when deployed to the Azure platform.
The first issue started with authentication causing the error "Key not valid for use in specified state". The discussion here states that the application needs to be configured to use RsaEncryptionCookieTransform instead of DPAPI which is the default. To try and solve this I added the code for OnServiceConfigurationCreated described on Alik Levin's blog but didn't go any further as it describes setting up a self-signed certificate in development (which as mentioned hasn't been necessary), not in Azure.
Instead of that approach, I tried to use the X.509 certificate already in Azure. I found the thumbprint under Windows Azure Management > Access Control Service > Relying Party Applications > (My Application Name) > Token Signing Certificates > Used for Service Namespace (X.509 Certificate). I then added this reference to the web.config:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="8A417..." />
</serviceCertificate>
Now I receive a configuration error on application startup:
ID1024: The configuration property value is not valid. Property name: 'certificateReference' Error: 'ID1025: Cannot find a unique certificate that matches the criteria. StoreName: 'My' StoreLocation: 'LocalMachine' X509FindType: 'FindByThumbprint' FindValue: '8A417...''
Do I actually need to change the encryption method to resolve the "Key not valid for use in specified state" error? If so, how can I use the X.509 certificate already in Azure to encrypt cookies?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您引用的证书是 ACS 使用的令牌签名证书。您需要在 Web 角色中部署一个证书,以便 WIF 可以使用它来加密 cookie(与令牌无关)。您必须在 Windows Azure 部署中添加证书。 (服务配置)。
请参阅 http://claimsid.codeplex.com 中的示例 #5
如果这是概念证明并且您想要只需使用所有默认值运行即可。参见这里:
http://msdn.microsoft.com/en-us/library/ff966484 .aspx#sec3
您需要设置“Load User Profile=true”,以便 DPAPI 正常工作。 (这可能是您本地计算机中的内容)。
The certificate you are referring to is the token signing cert used by ACS. You need a cert deployed in your web role so WIF can use it to encrypt the cookies (nothing to do with the token). You will have to add a cert in your Windows Azure deployment. (Service Configuration).
See sample #5 in http://claimsid.codeplex.com
If this is a proof of concept and you want to just run with all defaults. See here:
http://msdn.microsoft.com/en-us/library/ff966484.aspx#sec3
You need to set "Load User Profile=true" so DPAPI will work. (This is probably what you have in your local machine).
最终我(再次)找到了文章 使用访问控制服务 v2.0 保护 Windows Azure Web 角色 ASP.NET Web 应用程序。根据本文重新配置 web.config 和 ACS 管理门户的“依赖方应用程序”部分后,我能够让一切正常工作。具体来说,我只想要那些用
RequireAuthentication修饰的控制器操作,如 ACS 2.0 示例 本教程,要求用户登录。现在可以了。唯一的缺点是整个应用程序必须在 SSL 中运行才能获得无缝的用户体验。否则,用户在 HTTP 中运行时会被提示进行身份验证,经过身份验证,然后转储回 HTTP,显然未经过身份验证。但是,切换到 SSL 端点后,用户已通过身份验证!
在开发结构中,这按照我想要的方式工作,Stack Overflow 风格,我能够在标准 HTTP 中运行所有内容,而无需使用证书,并且身份验证通过 SSL 进行。但是,由于 Azure 中的 RSA cookie 要求以及需要证书,这在云中不起作用。 (如果开发结构警告此问题和其他常见问题.) 我希望在将来的某个时候重新审视这个问题。
总之,我建议您在尝试提供的示例之外的任何内容之前先了解 Windows Identity Foundation 及其如何应用于 Azure。撰写本文时提供的一些资源:
Eventually I found (again) the article Securing Windows Azure Web Role ASP.NET Web Application Using Access Control Service v2.0. After reconfiguring the web.config and the "Relying Party Applications" section of the ACS Management Portal according to this article, I was able to get everything to work. Specifically I wanted only those controller actions decorated with
RequireAuthentication, as shown in the ACS 2.0 sample for this tutorial, to require the user to be logged in. This now works.The only downside is that the entire app has to run in SSL for the user experience to be seamless. Otherwise the user is prompted for auth when running in HTTP, authenticated, and then dumped back to HTTP apparently not authenticated. However, switching over to the SSL endpoint, the user has been authenticated!
In development fabric this was working as I wanted, Stack Overflow style, where I was able to run everything in standard HTTP without using a certificate and authentication happened over SSL. However because of the RSA cookie requirement in Azure and need for a certificate this won't work in the cloud. (It would be great if dev fabric warned about this and other common gotchas.) I hope to revisit this at some point in the future.
In summary, I recommend you understand Windows Identity Foundation and how it applies to Azure before attempting anything beyond the provided samples. Some resources available at time of writing: