Based on available documentation, SAML authentication was added to an existing Service Desk running with IIS.
Since then end-users are constantly not able to log in to Service Desk.
It throws the error message below:
Key not valid for user in specific state.
The error “A cryptographicexception occurred when attempting to decrypt the cookie using the ProtectedDataApi”, indicates that currently your sessionsecuritytokens are being signed using DPAPI. DPAPI functions using a unique key on each machine, so once the sessionsecuritytoken is presented to a different server, the token can’t be properly decrypted.
CA Service Desk 17.2 and higher.
This can be resolved by updating your application to use a different sessionsecuritytoken signing method and then generate and share MachineKeys on both servers. This will ensure the securitytoken will be valid no matter which machine in your farm the request is routed to.
Follow the instructions below:
This will cause your application to sign and handle keys using the Machine Key instead of the DPAPI key.