Signalr: Problem with SignalR and ASP.NET impersonation

So you're seeing issues because older clients are broken? Why is it working fine on dev machines? Can you repro this in a new project.

Shouldn’t be older clients, I upgraded everything all together… from RS2 to 1.0.0.

I believe that the dev machine is OK, because we’re logged in, and browsing, and impersonating all in the same user. I haven’t done any further testing on that yet.

If I get a chance, I’ll try and repro in a new project, but I’ve got a drop-dead delivery date of Friday for this prototype, so I’m a bit pressed for time this week.

From: David Fowler [mailto:[email protected]]
Sent: 26 February 2013 00:41
To: SignalR/SignalR
Cc: Nich Overend
Subject: Re: [SignalR] Problem with SignalR and ASP.NET impersonation (#1591)

So you're seeing issues because older clients are broken? Why is it working fine on dev machines? Can you repro this in a new project.

—
Reply to this email directly or view it on GitHubhttps://github.com/SignalR/SignalR/issues/1591#issuecomment-14085816.

I'm seeing some surprising things in the code, so if you could create a repro project with repro steps it would be awesome.

Here's some things that look suspicious:

• DefaultProtectedData should never be used in an ASP.NET app unless you're doing something really strange
• The connectionToken is generated using a random connection id + user identity so it must be the same data across the connection. Whatever your module is doing needs to happen per http request to the signalr apis

We had this ProtectedData exception too. We reverted to rc2 and we are back to working SignalR.
With release version, client was getting 403s on POSTs for some reason, with rc2 POSTs work just fine.
We use Basic and Anonymous Auth on the web api site where we host signalr. We are running ARR that rewrites signalr calls to web api -

                <rule name="Signalr">
                    <match url="^signalr(.*)" />
                    <action type="Rewrite" url="https://ourwebapisite/signalr{R:1}" />
                </rule>

We use Autofac 3 and this Resolver code -

``` c#
public class SignalRDependencyResolver : DefaultDependencyResolver, IRegistrationSource
{
private readonly ILifetimeScope _lifetimeScope;

    public SignalRDependencyResolver(ILifetimeScope lifetimeScope)
    {
        _lifetimeScope = lifetimeScope;
        _lifetimeScope.ComponentRegistry.AddRegistrationSource(this);
    }

    public override object GetService(Type serviceType)
    {
        object result;
        if (_lifetimeScope.TryResolve(serviceType, out result))
        {
            return result;
        }

        return null;
    }

    public override IEnumerable<object> GetServices(Type serviceType)
    {
        object result;
        if (_lifetimeScope.TryResolve(typeof(IEnumerable<>).MakeGenericType(serviceType), out result))
        {
            return (IEnumerable<object>)result;
        }

        return Enumerable.Empty<object>();
    }

    public IEnumerable<IComponentRegistration> RegistrationsFor(Service service, Func<Service, IEnumerable<IComponentRegistration>> registrationAccessor)
    {
        var typedService = service as TypedService;
        if (typedService != null)
        {
            var instances = base.GetServices(typedService.ServiceType);

            if (instances != null)
            {
                return instances
                        .Select(i => RegistrationBuilder.ForDelegate(i.GetType(), (c, p) => i).As(typedService.ServiceType)
                        .InstancePerMatchingLifetimeScope(_lifetimeScope.Tag)
                        .PreserveExistingDefaults()
                        .CreateRegistration());
            }
        }

        return Enumerable.Empty<IComponentRegistration>();
    }

    bool IRegistrationSource.IsAdapterForIndividualComponents
    {
        get { return false; }
    }
}

}
```

Tested 1.0.0 and 1.0.1, they both break, only rc2 works.

@vladkosarev 403 sounds like a different issue to the protected data issue. There were fundamental changes made in 1.0.0 to fix security holes in previous versions (rc2, alpha etc). If you're getting a 500 that claims you have the wrong connection id format it's because you're making requests 2 signalr under different identities.

403 normally happens when you're making a cross origin request (or what we think is a cross origin request) and that looks like what you might be running into and I'm guess it's because of your url rewrite rules but I'm not 100% sure.

The logic that is likely causing your 403 is here
https://github.com/SignalR/SignalR/blob/master/src/Microsoft.AspNet.SignalR.Owin/Handlers/CallHandler.cs#L95

@davidfowl I tried with EnableCrossDomain=true and had the same issue. By the way with 1.0.0/1.0.1 that issue was in Chrome but not in FF/IE9, maybe there's a Chrome bug of some sort. I forgot to mention that before.

The 500 error was System.Security.Cryptography.ProtectedData.Protect() stuff. I'll stick to rc2 for now and maybe next week try Chrome with 1.0.1 again.

The 500 errors means you have an issue in your code (specifically the one stated above). I can't think of any other reason the 403 would happen but I'm better it's the cross domain thing. If you can provide a repro application it would be great.

I have exatly same error, only on Azure WebSites, but works fins on debug, same client :

Server Error in '/' Application.
The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.]
Microsoft.Owin.Host.SystemWeb.<>c__DisplayClass1.b__0(Exception ex) +27
Microsoft.Owin.Host.SystemWeb.Utils.RethrowWithOriginalStack(Exception ex) +15
Microsoft.Owin.Host.SystemWeb.CallContextAsyncResult.End(IAsyncResult result) +47
Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.EndProcessRequest(IAsyncResult result) +7
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9629708
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Any idea ?

Can you send the link to your website? Is the code public?

Should it be reopened? This same issue is still appearing with 1.1.0beta under IIS >= 7.5, when running app pool under identity different than ApplicationPoolIdentity.

I'm running into a similar issue:

[CryptographicException: Error occurred during a cryptographic operation. 8ff60d8e-9d8d-4a0d-bc5e-9c7e68122ddb]
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func2 func, Byte[] input) +115 System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Protect(Byte[] clearData) +59 System.Web.Security.MachineKey.Protect(ICryptoServiceProvider cryptoServiceProvider, Byte[] userData, String[] purposes) +62 System.Web.Security.MachineKey.Protect(Byte[] userData, String[] purposes) +122 Microsoft.AspNet.SignalR.SystemWeb.Infrastructure.MachineKeyProtectedData.Protect(String data, String purpose) +77 Microsoft.AspNet.SignalR.PersistentConnection.ProcessNegotiationRequest(HostContext context) +164 Microsoft.AspNet.SignalR.PersistentConnection.ProcessRequest(HostContext context) +87 Microsoft.AspNet.SignalR.Hubs.HubDispatcher.ProcessRequest(HostContext context) +199 Microsoft.AspNet.SignalR.Owin.CallHandler.Invoke(IDictionary2 environment) +835
Microsoft.AspNet.SignalR.Owin.Handlers.HubDispatcherHandler.Invoke(IDictionary`2 environment) +127
Microsoft.Owin.Host.SystemWeb.OwinCallContext.Execute() +117
Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object extraData) +253
Microsoft.Owin.Host.SystemWeb.CallContextAsyncResult.End(IAsyncResult result) +64
Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.EndProcessRequest(IAsyncResult result) +7
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9628700
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This is an ASP .NET web application running on VMWare with Windows Server 2008 R2 SP 1 under IIS 7.5.
Targets .Net 4.5 and ASP .Net 4.0 versions and has a mix of MVC & legacy .aspx.

The error occurs in the call to http://localhost/dss/signalr/negotiate?_=1376408974807
It returns a 500 Internal Server Error with the above referenced call-stack.

I have tried elevating the IIS app pool identities to admin and performing an IIS Reset, but this did not appear to change anything.

Everything else else seems to be working correctly.

Finally, I don't think this has any bearing, but I am using SignalR w/ RequireJS.

Here is my relevant code:

//Notifier.cs
//===========
public class Notifier : Hub
{
    public void SendGlobalMessage(string message)
    {
        Clients.All.addMessage(message);
    }
    public void SendLocalMessage(string message)
    {
        Clients.Caller.addMessage(message);
    }
    //other code omitted for brevity... (includes overrides for various OnXxx methods)
}

//Global.asax.cs
//==============
protected void Application_Start(Object sender, EventArgs ea)
{
    var hubConfiguration = new HubConfiguration { EnableDetailedErrors = true };
    RouteTable.Routes.MapHubs(hubConfiguration);
    //other code omitted...
}

//_Layout.cshtml
//===========
//other code omitted...

<script type="text/javascript">
    //signalr-hubs is mapped and shimmed with its dependency on signalr in the RequireJS config.

    require(['signalr-hubs'], function()
    {
         $(function()
         {
             var notifier = $.connection.notifier;
             notifier.addMessage = function(message)
             {
                 console.log(message);
             }

            $.connection.hub.start({ waitForPageLoad: false }).done(function()
            {
                 notifier.server.sendGlobalMessage("Hello Universe!!!");
                 notifier.server.sendLocalMessage("Hello to myself!");
            });
        });
    }
</script>

Joshua,

I believe that I solved my issue by re-writing my hub.

I think that I was keeping the hub around artificially, rather than letting SignalR create and destroy them at its own will.

In fact… I went as far as to put a notice in the top of it:

/// <summary>
/// BEWARE!!! A Hub is NOT A PERSISTENT OBJECT! SignalR creates and releases them abitrarily!!!
/// Do not put anything in them, like observing observables...!
/// Interface to the outside world ONLY!
/// </summary>

I suspect that you will find you are doing something similar. Rewrite your hub to be as lightweight as possible, with nothing that you need to keep, so SignalR can do its stuff.

Nich

From: Joshua Barker [mailto:[email protected]]
Sent: 13 August 2013 17:57
To: SignalR/SignalR
Cc: Nich Overend
Subject: Re: [SignalR] Problem with SignalR and ASP.NET impersonation (#1591)

I'm running into a similar issue:

[CryptographicException: Error occurred during a cryptographic operation. 8ff60d8e-9d8d-4a0d-bc5e-9c7e68122ddb]
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func2 func, Byte[] input) +115
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Protect(Byte[] clearData) +59
System.Web.Security.MachineKey.Protect(ICryptoServiceProvider cryptoServiceProvider, Byte[] userData, String[] purposes) +62
System.Web.Security.MachineKey.Protect(Byte[] userData, String[] purposes) +122
Microsoft.AspNet.SignalR.SystemWeb.Infrastructure.MachineKeyProtectedData.Protect(String data, String purpose) +77
Microsoft.AspNet.SignalR.PersistentConnection.ProcessNegotiationRequest(HostContext context) +164
Microsoft.AspNet.SignalR.PersistentConnection.ProcessRequest(HostContext context) +87
Microsoft.AspNet.SignalR.Hubs.HubDispatcher.ProcessRequest(HostContext context) +199
Microsoft.AspNet.SignalR.Owin.CallHandler.Invoke(IDictionary2 environment) +835
Microsoft.AspNet.SignalR.Owin.Handlers.HubDispatcherHandler.Invoke(IDictionary`2 environment) +127
Microsoft.Owin.Host.SystemWeb.OwinCallContext.Execute() +117
Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object extraData) +253
Microsoft.Owin.Host.SystemWeb.CallContextAsyncResult.End(IAsyncResult result) +64
Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.EndProcessRequest(IAsyncResult result) +7
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9628700
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This is an ASP .NET web application running on VMWare with Windows Server 2008 R2 SP 1 under IIS 7.5.
Targets .Net 4.5 and ASP .Net 4.0 versions and has a mix of MVC & legacy .aspx.

The error occurs in the call to http://localhost/dss/signalr/negotiate?_=1376408974807
It returns a 500 Internal Server Error with the above referenced call-stack.

I have tried elevating the IIS app pool identities to admin and performing an IIS Reset, but this did not appear to change anything.

Everything else else seems to be working correctly.

Finally, I don't think this has any bearing, but I am using SignalR w/ RequireJS.

Here is my relevant code:

//Notifier.cs
//===========
namespace Dss.Api.SignalR
{
public class Notifier : Hub
{
public void SendGlobalMessage(string message)
{
Clients.All.addMessage(message);
}

public void SendLocalMessage(string message)

{

Clients.Caller.addMessage(message);

}

//other code omitted for brevity... (includes overrides for various OnXxx methods)

}

}

//Global.asax.cs
//==============
protected void Application_Start(Object sender, EventArgs ea)
{
var hubConfiguration = new HubConfiguration { EnableDetailedErrors = true };
RouteTable.Routes.MapHubs(hubConfiguration);

//other code omitted...

}

_Layout.cshtml

//other code omitted...

—
Reply to this email directly or view it on GitHubhttps://github.com/SignalR/SignalR/issues/1591#issuecomment-22580041.

Hi NichUK.... I removed everything from my Hub class except the two methods listed above (SendGlobalMessage & SendLocalMessage) and still got the error.

This has something to do with the SignalR MachineKeyProtectedData class and the .Net MachineKey.Protect() method (and probably either the MachineKeys system folder or the machine.config file), but I am not a security expert, so this is beyond me...

@jbarker4682 do you have a webfarm (multiple webservers)?

@davidfowl no, this is running locally on my dev box...

Does it only happen when you recycle the application?

Had the same problem.
In a few words, ProtectedData.Protect method depends on 'account environment' which used by AppPool. So, if you enable user profile load, problem will solved.
FYI - What exactly happens when I set LoadUserProfile of IIS pool