Getting federation with ACS & ADFS to work with multiple instances – certificate issue

I recently built a solution that federates ADFS login through Azure Access Control Service (ACS). Everything worked fine for me using the standard “Add STS reference” functionality, but when I increased the instance count to 2 in Azure (no problem in the development environment) I started getting strange errors similar to this:

Image

Now, being a security newbee, I won’t even try to explain the underlying issue, more than that it has to do with the encrypted cookies that are generated after login that are somehow tied to the server instance that generated the cookie and cannot be used by other servers. If we would have had sticky session, it might not have been a problem, but it is with Azure’s round robin load balancing.

The solution requires both coding to replace the cookie encryption, as well as using a self-generated certificate on all instances that is uploaded to Azure and referenced from web.config. Not very hard, but I struggled to find the solution online.

If you run into similar problems, I can highly recommend going through this guide in detail:
http://msdn.microsoft.com/en-us/gg557891

Don’t forget the step where you need to give Network Service access to your certificate for it to work in the development emulator: