c# - WIF to a separate domain via AJAX -

we have sites running in 2 separate domains, 1 secured api other frontend website. we want able ajax request website api using logged in users credentials.

enter image description here

to did necessary cors bits able pass our cookie api, when api tries process cookie cant decrypt it. understanding because realm doesn't match correctly.

the error when try , follows:

invalidoperationexception: id1073: cryptographicexception occurred when attempting decrypt cookie using protecteddata api (see inner exception details). if using iis 7.5, due loaduserprofile setting on application pool being set false.

if manually make same request cookie :1444 realm works correctly (so think loaduserprofile stuff red herring).

i think issue cant reuse cookie realm. if case how can perform delegation in javascript? possible without redirecting user sts cookie other realm? there better way approach javascript delegation?

useful supporting data:

the configuration of wif our api end:

    <modules runallmanagedmodulesforallrequests="true">         <add name="wsfederationauthenticationmodule" type="microsoft.identitymodel.web.wsfederationauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />         <add name="sessionauthenticationmodule" type="microsoft.identitymodel.web.sessionauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />     </modules>

...

<microsoft.identitymodel>     <service>         <securitytokenhandlers>             <add type="microsoft.identitymodel.tokens.sessionsecuritytokenhandler, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35">                 <sessiontokenrequirement lifetime="1:00" />             </add>         </securitytokenhandlers>         <audienceuris>             <add value="http://localhost:1444/" />         </audienceuris>         <federatedauthentication>             <wsfederation passiveredirectenabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1444/" requirehttps="false" persistentcookiesonpassiveredirects="false" />             <cookiehandler requiressl="false" path="/" name="thecookiemonster" persistentsessionlifetime="60" />         </federatedauthentication>         <applicationservice>             <claimtyperequired>                 <!--this claim gets mapped user.identity.name-->                 <claimtype type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />                 <!--some other custom claims-->             </claimtyperequired>         </applicationservice>         <issuernameregistry type="microsoft.identitymodel.tokens.configurationbasedissuernameregistry, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35">             <trustedissuers>                 <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" />             </trustedissuers>         </issuernameregistry>     </service> </microsoft.identitymodel>

the config of wif @ website end:

(same :1337)

    <modules runallmanagedmodulesforallrequests="true">         <add name="wsfederationauthenticationmodule" type="microsoft.identitymodel.web.wsfederationauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />         <add name="sessionauthenticationmodule" type="microsoft.identitymodel.web.sessionauthenticationmodule, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35" precondition="managedhandler" />     </modules>

...

<microsoft.identitymodel>     <service>         <securitytokenhandlers>             <add type="microsoft.identitymodel.tokens.sessionsecuritytokenhandler, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35">                 <sessiontokenrequirement lifetime="1:00" />             </add>         </securitytokenhandlers>         <audienceuris>             <add value="http://localhost:1337/" />         </audienceuris>         <federatedauthentication>             <wsfederation passiveredirectenabled="true" issuer="http://localhost:1339/account/sign-in" realm="http://localhost:1337/" requirehttps="false" persistentcookiesonpassiveredirects="false" />             <cookiehandler requiressl="false" path="/" name="thecookiemonster" persistentsessionlifetime="60" />         </federatedauthentication>         <applicationservice>             <claimtyperequired>                 <!--this claim gets mapped user.identity.name-->                 <claimtype type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />                 <!--some custom claims-->             </claimtyperequired>         </applicationservice>         <issuernameregistry type="microsoft.identitymodel.tokens.configurationbasedissuernameregistry, microsoft.identitymodel, version=3.5.0.0, culture=neutral, publickeytoken=31bf3856ad364e35">             <trustedissuers>                 <add thumbprint="a_thumbprint_key_for_our_cert" name="http://localhost:1339/" />             </trustedissuers>         </issuernameregistry>     </service> </microsoft.identitymodel>

what net tab looks like:

enter image description here

i think cancelled js has detected kind of security nonsense going on.

machine key shared across both sites
both running wif 3.5

we did manage sort out upgrading wif 4.5 worked no special modifications. i'm not sure root cause in 3.5 has closed issue off me. if wants can post sample working github

Search This Blog

Error