Attempted to implement AAD (Azure Active Directory) authentication with IIS via SAML authentication. Received the following error as below:
Text of the above message:
Server Error in '/CAisd' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
System.Security.Cryptography.ProtectedData.Protect(Byte userData, Byte optionalEntropy, DataProtectionScope scope) +500
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte value) +48
[InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte value) +319
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte cookie, Boolean outbound) +71
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +875
System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +130
System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +179
System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +111
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +1083
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +467
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +88
Release : 17.3
CA Service Desk Manager
In the above message, one will find:
If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.
Go into Internet Information Services (IIS) Manager
Refer to the following screencap for all settings:
Click on the Application Pools entry on the left hand pane (item 1)
Clock on the DefaultAppPool entry (item 2)
Click on Advanced Settings (item 3)
In the popup window that appears for Advanced Settings, scroll down and locate the entry "Load User Profile". (item 4)
Some IIS installs by default will set this to False. Set this to "True" (change already reflected in screencap)
Save the settings in IIS and recycle IIS.
Please also review the steps for "Troubleshooting - Unable to login to CA SDM application using the IIS port with any Idp (Identity Provider) "
Make sure that all of the Options listed for Server Manager are also in place.