Windows Azure and ACS - CryptographicException: Key not valid for use in specified state

My technical architect asked me to work on windows Azure access control service and configure ACS for ADFS. After following all the steps on Azure management portal such as configuring identity provider, adding relying party; it was time for me to add STS reference in my azure web role. If you don’t know click - how to add STS reference.

I added the STS reference in my web role and pressed F5 to start debug. And I got difficult exception mentioned below –

CryptographicException: Key not valid for use in specified state.

InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

 I don’t understand why I always face very odd issues. Anyways, following is the description about solution to the above mentioned error.

Windows Azure and ACS - ID1024: The configuration property value is not valid. Property name: 'serviceCertificate'

Total there are 2 errors which I have seen getting resolved with following information I am providing.

If you are using Azure Web Role with Azure ACS configured ADFS authentication then you may receive any of the following 2 errors –

1.     Parser Error Message: ID1024: The configuration property value is not valid.
Property name: 'serviceCertificate'
Error: 'ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user

2.     The X.509 certificate CN=companyinacloud.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=companyinacloud.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I will be discussing the steps I followed which worked for me. Hope it will help to you as well. Here is the solution.

Make sure that the certificate stored in LocalMachine My store should be same as the certificate present in ACS namespace created on Azure Management Portal. If you see the exception details closely then in above 1^st error you will observe a description that says - The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.

Install Certificate in Local computer Certificate Store

Many times application development needs certificate to be installed in Local Machine – My store. My store actually refers to personal folder in present in certificate manager.

When you open “Run” window and type “Certmgr.msc”, the certificate store for CurrentUser opens and not for local machine. To open Local Machine certificate store follow the steps mentioned below.   

Open “Run” window and type “MMC” and click OK. This will open window named as “Console 1”. Under file menu select “Add Remove Snap in option as shown below –

Windows Azure – Adding STS reference from Access Control Service in Azure web role

Here I assume that, you have already configured Access Control Service on Azure portal. You are ready with relying party application added to your ACS on Azure ACS management portal. You have configured identity provider say ADFS or any other of your choice. Here I will be discussing steps specific to adding STS reference in your Windows Azure Web Role Application.

First of all we need to download WIF SDK and install it on the development machine which has VS 2010 installed. Once WIF SDK installed, open visual studio and right click on Web role project. You will see “Add STS Reference” option visible. Click on it to launch a new window.

Hosting multiple virtual applications in Azure Web Role

Web role can be used for hosting different virtual application. The web role supports running a virtual application within a site.

Same web site project added in solution can be used to host as a multiple virtual application within web role. Service definition file in Azure Cloud service project is used for this purpose. The <sites> element in ServiceDefinition.csdef file helps us to host multiple virtual applications within a web role application. Following is the description how you can achieve it.

Open VS2010 and create Azure Cloud Service Project. Add a simple web role in it. Once done, right click on solution and click on “Add” to add another new project in the same solution. So the final solution structure in VS2010 will be as shown below. Here I have added another web application within my cloud service solution. You can add a simple web site also instead of web application.