20

I have an Asp.NET Core app with no special setup of DataProtection stack - just AddMvc. While everything works on IISExpress/(Kestrel), on the IIS server I got this error:

11/23/2016 18:50:14:warn: Microsoft.AspNetCore.Session.SessionMiddleware[7]
      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {6d00462a-ba7f-4f65-bb36-711605de93f2} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)
11/23/2016 19:27:34:warn: Microsoft.Extensions.DependencyInjection.DataProtectionServices[59]
      Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.
11/23/2016 19:27:34:warn: Microsoft.AspNetCore.DataProtection.Repositories.EphemeralXmlRepository[50]
      Using an in-memory repository. Keys will not be persisted to storage.
11/23/2016 19:27:34:warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
      No XML encryptor configured. Key {27c3297d-c583-4de5-b619-489bfba62407} may be persisted to storage in unencrypted form.
11/23/2016 19:27:35:warn: Microsoft.AspNetCore.Session.SessionMiddleware[7]
      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {3cbde8ae-2dba-4c84-ada3-20ba40bdff85} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

It only happes for some users after sign in and not every time. I tries to google but with no success.

Might it be some IIS configuration different on the second server? Thx.

Skorunka František
  • 5,102
  • 7
  • 44
  • 69

1 Answers1

18

This issue stems from a bug in IIS itself which may or may not ever be corrected. In order to work around the issue, it’s necessary for you to edit your App Pool to enable User Profile Loading. Once you set your App Pool to load the user profile for the application pool identity, the application will have permission to read and write to the system registry as intended.

original article

In short ensure app pool loads User profile:

enter image description here

download either ps script or its .NET analog here build it and run it as Admin like this:

ProvisionAutoGenKeys.exe NetCoreAppPool
Community
  • 1
  • 1
Artem Vertiy
  • 1,002
  • 15
  • 31