WIF and load balancing with MVC 3.

Recently I’ve been getting to grips with WIF and the starter STS which I must say is an excellent starting point. A requirement for a project that I’ve been working on was to enable the site to run in a load balanced environment without any affinity to a particular node.

From the outset this seemed quite straight forward. After customizing the STS to use our own credential store and aligning the machine keys things looked to be rocking, well from an STS point of view.

After adding the STS reference and deploying the web application everything looked OK initially, looking in firebug I could see plenty of requests reporting “500” internal server error.

After much investigation it became clear that one of the nodes couldn’t access the token due to it being protected via DPAPI.

The following assumes that you have a serverCertificate inside the microsoft.identitymodel node in your config. It also assumes that you application pool has access to find the certificate in the local store.

Changes to the global.asax file.

New event handler

void onServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[]
{
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
});

SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}

Changes to application start method.

protected void Application_Start()
{
FederatedAuthentication.ServiceConfigurationCreated += onServiceConfigurationCreated;
AreaRegistration.RegisterAllAreas();
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
}

The preceding enabled tokens to be treated the same on all nodes in the cluster.

Advertisements