microsoft-identity-web: Weird "Unable to unprotect the message.State" error

My Web app uses Microsoft.Identity.Web and Microsoft.Identity.Web.UI (1.16.1) to authentication the users. The Web apps are behind BIG-IP for load-balancing and redundancy.

I recently run into an authentication error (500 on the callback URL) on a particular workstation with the browser hitting the load balancer. The Fiddler trace (attached) shows that the .AspNetCore.Correlation and .AspNetCore.OpenIdConnect.Nounce cookies are not included in the request message sent to the callback URL (signin-oidc). The Web app reports “Unable to unprotect the message.State” error as below:

System.Exception: An error was encountered while handling the remote login.
   at async Task<bool> Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
   at async Task Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.TraceResponseMessage(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 62
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.TraceResponseMessage(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 76
   at async Task CSG.Configuration.AzureSsoService.MiddleWare.RequestResponseLogger.Invoke(HttpContext context) in d:/Jenkins/workspace/22.1.0.0.0-ACPx-Configuration-DSM/Src/WorkerService/AzureSsoService/MiddleWare/RequestResponseLogger.cs:line 26
   at async Task Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)+Awaited(?) ---> System.Exception: Unable to unprotect the message.State.

   --- End of inner exception stack trace ---

Some other facts:

On the workstation that has the above error, the authentication goes through if the browser bypasses the load balancer and hits the Web app host directly.
On other hosts the authentication is successful using the same account and going through the load balancer.

I am puzzled how the load balancer and the particular workstation can interact to prevent the .AspNet.Core.* cookies from being included in the signin-oidc request message.

AzureSsoTrace.saz.gz

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 20

Most upvoted comments

Hello @WenningQiu Did you read this article? https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#issue-with-scaled-out-web-apps-in-app-services

jmprieur on Dec 7, 2021

@deadlydog , Thanks for the pointer to using cookie affinity on ingress / load balancer. I was able to fix it with the same solution.

@michiproep , Well, this is the first time I am implementing in dotnet core web app that uses oidc. I didn’t have to worry about these in Angular SPA implementations as it will be the same browser client and do not have to worry about server load balancing.

sxseba1 on Apr 21, 2023

I am getting the same on an AWS Cluster – first time encountering this on a new site we’re trying to publish. We have a simple OIDC client that works perfectly locally on a dev box.

`System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Unable to unprotect the message.State.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Any help is greatly appreciated.

MikeMcWilliams on May 2, 2022