Weird "Unable to unprotect the message.State" error

See original GitHub issue

My Web app uses Microsoft.Identity.Web and Microsoft.Identity.Web.UI (1.16.1) to authentication the users. The Web apps are behind BIG-IP for load-balancing and redundancy.

I recently run into an authentication error (500 on the callback URL) on a particular workstation with the browser hitting the load balancer. The Fiddler trace (attached) shows that the .AspNetCore.Correlation and .AspNetCore.OpenIdConnect.Nounce cookies are not included in the request message sent to the callback URL (signin-oidc). The Web app reports “Unable to unprotect the message.State” error as below:

System.Exception: An error was encountered while handling the remote login.
   at async Task<bool> Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
   at async Task Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.TraceResponseMessage(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 62
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.TraceResponseMessage(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 76
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.Invoke(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 26
   at async Task Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)+Awaited(?) ---> System.Exception: Unable to unprotect the message.State.

   --- End of inner exception stack trace ---

Some other facts:

On the workstation that has the above error, the authentication goes through if the browser bypasses the load balancer and hits the Web app host directly.
On other hosts the authentication is successful using the same account and going through the load balancer.

I am puzzled how the load balancer and the particular workstation can interact to prevent the .AspNet.Core.* cookies from being included in the signin-oidc request message.

AzureSsoTrace.saz.gz

Issue Analytics

State:
Created 2 years ago
Comments:20

Top GitHub Comments

3reactions

jmprieurcommented, Dec 7, 2021

Hello @WenningQiu Did you read this article? https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#issue-with-scaled-out-web-apps-in-app-services

1reaction

sxseba1commented, Apr 21, 2023

@deadlydog , Thanks for the pointer to using cookie affinity on ingress / load balancer. I was able to fix it with the same solution.

@michiproep , Well, this is the first time I am implementing in dotnet core web app that uses oidc. I didn’t have to worry about these in Angular SPA implementations as it will be the same browser client and do not have to worry about server load balancing.