为什么我收到“CryptographicException：密钥在指定状态下使用无效。”使用 wsfederation 更改应用程序池用户后？

我有一个继承的STS服务器，它运行.net 4.7.2，使用system.identitymodel wsfederation根据主体颁发令牌，并使用SessionAuthenticationModule将它们保存为cookie。

STS 和依赖方都在服务器 2016 上的 IIS 10 上运行。一切正常，直到我更改运行依赖方应用程序池的身份，我收到错误：

[CryptographicException: Key not valid for use in specified state.
]
   System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +470
   System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +48

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +358
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +191
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +824
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +86
   System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +567
   System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
   System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +158
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +223
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +220
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +94

看起来 RP 无法解密 cookie，但为什么它会与运行应用程序池的身份配对？我已将新身份添加为服务器上的管理员，以确保它与权限无关。是否要求STS和所有依赖方以同一用户运行？