Getting federation with ACS & ADFS to work with multiple instances – certificate issue

I recently built a solution that federates ADFS login through Azure Access Control Service (ACS). Everything worked fine for me using the standard “Add STS reference” functionality, but when I increased the instance count to 2 in Azure (no problem in the development environment) I started getting strange errors similar to this:

Image

Now, being a security newbee, I won’t even try to explain the underlying issue, more than that it has to do with the encrypted cookies that are generated after login that are somehow tied to the server instance that generated the cookie and cannot be used by other servers. If we would have had sticky session, it might not have been a problem, but it is with Azure’s round robin load balancing.

The solution requires both coding to replace the cookie encryption, as well as using a self-generated certificate on all instances that is uploaded to Azure and referenced from web.config. Not very hard, but I struggled to find the solution online.

If you run into similar problems, I can highly recommend going through this guide in detail:
http://msdn.microsoft.com/en-us/gg557891

Don’t forget the step where you need to give Network Service access to your certificate for it to work in the development emulator:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s