Configure .Net Core Data Protection for Load Balancers

Problem

I was using Cookie Authentication (without Identity), containing application deployed over multiple servers under load balancers, runs into problem that generates your authentication cookie will not get shared across servers, as by default each server generates its own Data Protection Keys which could not be shared among servers that results into Unauthorized or Invalid authentications.

By default, ASP.NET Core’s data protection isolates applications based on file paths, or IIS hosting information, so multiple apps can share a single keyring, but still not be able to read each other’s data. Source

Solution

ASP.NET Core’s Data Protection must share the same key ring and app identifier for each instance of your application. This means if you are load balanced across multiple machines, you must configure ASP.NET Core’s Data Protection, either protecting the keys over shared File System or DB and also provides mechanism of encryption & decryption.

The ASP.NET Core data protection provides a cryptographic API to protect data, including key management and rotation (including the necessary mechanisms for encryption and decryption)

  • Configure SetApplicationName in each app with the same value.
  • Could Persists Keys to File System.
  • Could Persists Keys to DB.
  • Could Encrypt Keys using X.509 certificate.

Add Data Protection

Add Data Protection in ConfigureServices of Startup.cs file

builder.Services.AddDataProtection()

Configure Application Name

Configure Unique name of the application.

services.AddDataProtection().SetApplicationName(“SharedApplicationName”);

Persists Keys to File System

To configure a file system-based key repository, call the PersistKeysToFileSystem configuration routine as shown below. Provide a DirectoryInfo pointing to the repository where keys should be stored.

services.AddDataProtection().SetApplicationName(“SharedApplicationName”).PersistKeysToFileSystem(new DirectoryInfo(@”c:\temp-keys\”));

The File System can point to a directory on the local machine, or it can point to a folder on a network share.

Consider using an X.509 certificate to encrypt keys

Persists Keys to Database using Entity Framework Core

The Microsoft.AspNetCore.DataProtection.EntityFrameworkCore package provides a mechanism for storing data protection keys to a database using Entity Framework Core. With this package, keys can be shared across multiple instances of a web app.

services.AddDbContext<DataProtectionKeysContext>(options =>options.UseSqlServer(Configuration.GetConnectionString(“DataProtectionKeysConnection”)));

services.AddDataProtection().SetApplicationName(“SharedApplicationName”).PersistKeysToDbContext<DataProtectionKeysContext>();

public class DataProtectionKeysContext : DbContext, IDataProtectionKeyContext {public DataProtectionKeysContext(DbContextOptions<DataProtectionKeysContext> options) : base(options) { } public DbSet<DataProtectionKey> DataProtectionKeys { get; set; } }

Create DataProtectionKeys table

Run the application & check Data Protection key in DB. It will automatically create new key after 90 days or you can also customize it.

That's all for this article.

Happy Coding!!

References

--

--

--

Consultant — Software Development

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Meet Evan, BavaMachine Learning Engineer (And the Guy You Want on Your Side in a Zombie Apocalypse)

Turning this into a D&D blog

Quick Answer: Does Ubuntu Get Viruses

Solutions for Real-Time System by Jane W. S. Liu (Chapter 3)

Use of implicit to transform case classes in Scala

OpenFaaS Tutorial: Build and Deploy Serverless Java Functions

Step One to get a Coding Job

Vapor 3 Series III — Testing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ghanshyam Shukla

Ghanshyam Shukla

Consultant — Software Development

More from Medium

Simple GitHub actions reusable workflow using .NET 6

Use ASP.NET Core hosted services to run a background task

Understanding .Net Framework 4.5 Architecture

Connect SignalR APIs with Postman