search cancel

SAML Azure IIS Authentication Error

book

Article ID: 256323

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

Attempted to implement AAD (Azure Active Directory) authentication with IIS via SAML authentication.  Received the following error as below:

 

Text of the above message:

Server Error in '/CAisd' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
   System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +500
   System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +48

[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) +319
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +71
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +875
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +130
   System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +179
   System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +111
   System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +1083
   System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +467
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +139
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +88

Environment

Release : 17.3

CA Service Desk Manager

Cause

In the above message, one will find:

If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

Resolution

Go into Internet Information Services (IIS) Manager

Refer to the following screencap for all settings:

Click on the Application Pools entry on the left hand pane (item 1)

Clock on the DefaultAppPool entry (item 2)

Click on Advanced Settings (item 3)

In the popup window that appears for Advanced Settings, scroll down and locate the entry "Load User Profile". (item 4)

Some IIS installs by default will set this to False.  Set this to "True" (change already reflected in screencap)

Save the settings in IIS and recycle IIS.

Additional Information

Please also review the steps for "Troubleshooting - Unable to login to CA SDM application using the IIS port with any Idp (Identity Provider) " 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/administering/administering-ca-service-desk-manager/enable-saml-authentication-for-ca-sdm.html

Make sure that all of the Options listed for Server Manager are also in place.

Attachments