Users cannot log in to Service Desk with SAML authentication and IIS

book

Article ID: 223198

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

Based on available documentation, SAML authentication was added to an existing Service Desk running with IIS.

Since then end-users are constantly not able to log in to Service Desk.

It throws the error message below:

Key not valid for user in specific state.

Cause

Regarding cryptographicexception:

The error “A cryptographicexception occurred when attempting to decrypt the cookie using the ProtectedDataApi”, indicates that currently your sessionsecuritytokens are being signed using DPAPI. DPAPI functions using a unique key on each machine, so once the sessionsecuritytoken is presented to a different server, the token can’t be properly decrypted. 

Environment

CA Service Desk 17.2 and higher.

Resolution

This can be resolved by updating your application to use a different sessionsecuritytoken signing method and then generate and share MachineKeys on both servers. This will ensure the securitytoken will be valid no matter which machine in your farm the request is routed to.

Follow the instructions below:

  1. From one of the IIS Servers, navigate to your site and select the Machine Key Section;
  2. Uncheck the boxes to automatically generate at runtime;
  3. Click Generate Keys and then apply;
  4. Copy these values to the site on the other server;
  5. In the web.config for your application on both servers, add the following to the <identityConfiguration> tag inside of the <System.IdentityModel> section:
    1. <securityTokenHandlers>
    2. <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    3. <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    4. </securityTokenHandlers>

This will cause your application to sign and handle keys using the Machine Key instead of the DPAPI key.

Attachments