Dynamics 365 – Key not valid for use in specified state – Event 1309

This error will display in one of several ways depending on what you are trying to access, it can display as a generic “An error occurred” error to users upon login or it can display as something similar to the image below if you happen to have DevErrors enabled –


ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.


It will also display as a Warning event with ID 1309 in the Event Viewer on the CRM server.

This is due to having multiple CRM deployments which are authenticating with a single ADFS server which is technically an unsupported use case and will occur when a user is logged into one deployment and then attempts to login to the other deployment.

An error will then occur because ADFS will attempt to use the cookie generated during the first login to verify the second login which will contain an incorrect key.

The Fix / Workaround

  • It is possible to get around this issue by ensuring that the user signs out of one deployment before signing into the next which will effectively clear the cookie and allow access without issue however this is by no means a proper fix.
  • The problem can often be fixed by checking ‘The deployment uses an NLB” check box located in the CRM deployment manager, Sherif Elmetainy covered the steps required to do this perfectly on the Microsoft forums

Solution to this problem is to Check “The deployment uses an NLB” and this is how:

1- Open “Microsoft Dynamics CRM Deployment Manager”
2- In the console right click on the root node named “Microsoft Dynamics CRM” and click “Properties”
3- Select the Second Tab called “Web Address”
4- Click the Advanced Button in the bottom
5- Make sure that the “The deployment uses an NLB” checkbox is checked.
6- Click “OK” then “Apply”
7- IIS reset both servers

Having this flag set to true will cause CRM to configure WIF (Windows Identity Framework) to use the Claims Authentication Encryption Certificate to encrypt/decrypt and sign the CRM session authentication cookie. Otherwise the certificate will be used only to decrypt the token returned from the STS and each server would use a different key for encrypting the cookie. Which is why I was getting an error when a client authenticated on one server accessed the second server.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.