locked
Error during loading certificate RRS feed

  • Question

  • I get the following error . Please suggest

    Security Exception

    Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

    Exception Details: System.Security.Cryptography.CryptographicException: An internal error occurred.


    Source Error:

    [No relevant source lines]

    Source File: c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\getpersonid\b8b5a69f\8678eaea\App_Web_2cg8q8eq.0.cs    Line: 0

    Stack Trace:

    [CryptographicException: An internal error occurred.
    ]
      System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33
      System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
      System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +237
      System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) +131
      Microsoft.Health.ApplicationConfiguration.GetApplicationCertificateFromFile(String certFilename) in e:\src\hsmain\private\prod\src\sdk\core\ApplicationConfiguration.cs:746
    
    [SecurityException: Error loading certificate. Is password specified using ApplicationCertificatePassword?]
      Microsoft.Health.ApplicationConfiguration.GetApplicationCertificateFromFile(String certFilename) in e:\src\hsmain\private\prod\src\sdk\core\ApplicationConfiguration.cs:754
      Microsoft.Health.ApplicationConfiguration.GetApplicationCertificate(Guid applicationId, StoreLocation storeLocation, String certSubject) in e:\src\hsmain\private\prod\src\sdk\core\ApplicationConfiguration.cs:628
      Microsoft.Health.ApplicationConfiguration.get_ApplicationCertificate() in e:\src\hsmain\private\prod\src\sdk\core\ApplicationConfiguration.cs:583
      Microsoft.Health.HealthApplicationConfiguration.get_ApplicationCertificate() in e:\src\hsmain\private\prod\src\sdk\core\HealthApplicationConfiguration.cs:130
      Microsoft.Health.Web.WebApplicationUtilities.GetPersonInfo(String authToken, Guid appId) in e:\src\hsmain\private\prod\src\sdk\web\WebApplicationUtilities.cs:1726
      Microsoft.Health.Web.WebApplicationUtilities.HandleTokenOnUrl(HttpContext context, Boolean isLoginRequired, Guid appId) in e:\src\hsmain\private\prod\src\sdk\web\WebApplicationUtilities.cs:1752
      Microsoft.Health.Web.WebApplicationUtilities.PageOnPreLoad(HttpContext context, Boolean logOnRequired, Boolean isMra, Guid appId) in e:\src\hsmain\private\prod\src\sdk\web\WebApplicationUtilities.cs:308
      Microsoft.Health.Web.HealthServicePage.OnPreLoad(EventArgs e) in e:\src\hsmain\private\prod\src\sdk\web\HealthServicePage.cs:133
      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
      System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
      System.Web.UI.Page.ProcessRequest() +80
      System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
      System.Web.UI.Page.ProcessRequest(HttpContext context) +49
      ASP.redirect_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\getpersonid\b8b5a69f\8678eaea\App_Web_2cg8q8eq.0.cs:0
      System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
      System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
    
    Monday, May 31, 2010 10:06 AM

Answers

  • Hello,

    Please follow the below steps to run the application in IIS.

    1. Open HeathVault Application Manager (Run as Administrator)
    2. Export Public and Private keys (.pfx) for the certificate you have created.
    3. Copy the certificate into the machine (IIS Hosted).
    4. Delete the certificate from HeathVault Application Manager. Make sure that you have copied the certificate.
    5. Run c:\Program Files\Microsoft HealthVault\SDK\Tools\ComputerCertificates.msc.
    6. Import the certificate into Personal > Certificates folder using All Tasks > Import.
    7. Browse the certificate saved in step 3, and make sure that Mark this key as exportable is checked.
    8. Restart HeathVault Application Manager and now you should be able to see the certificate imported.
    9. Right Click on the certificate in HeathVault Application Manager and click on Grant Access to IIS process.

    Granting access to Network Service and IIS(Open Command prompt and point to WinHttpCertCfg tool in the Tools folder that is shipped with the SDK)
    1. WinHttpCertCfg.exe -g -a NetworkService -c Local_Machine\My -s 5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7
    2. winhttpcertcfg.exe -g -a DefaultAppPool -c LOCAL_MACHINE\My -s 5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7

    You can check whether you have got the permissions to the Network service and iis that you have granted with the below command.
    1. winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s WildcatApp-5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7

    If you have mentioned the ApplicationCertificateFileName key in web.config file, then you need to export the certificate from the ComputerCertificates.msc.
    1. Run c:\Program Files\Microsoft HealthVault\SDK\Tools\ComputerCertificates.msc
    2. Right click on the certificate and click on All Tasks > Export and follow the steps to export the certificate name
    3. Now add the key in the web.config file after you export the certificate to the location which you have full permissions:
    <add key="ApplicationCertificateFileName" value="g:\mshealth\Nice App\cert\WildcatApp-3cdc0cea-6008-4c76-9169-36d44c3d63b4.pfx" />
    4. If the certificate has a password, that can be specified with the ApplicationCertificatePassword key in web.config file.

    Run the application and you should be able to run it without any errors

    If you still face issues, please run the trouble shooter that is shipped with the sdk to make sure that there are no errors.

    Please let me know the results.

     


    -Mahesh
    Monday, May 31, 2010 2:05 PM
  • Hello,

    Could you please run the trouble shooter sample and let me know if you see any errors.


    -Mahesh
    Tuesday, June 1, 2010 8:22 AM

All replies

  • Hello,

    Please follow the below steps to run the application in IIS.

    1. Open HeathVault Application Manager (Run as Administrator)
    2. Export Public and Private keys (.pfx) for the certificate you have created.
    3. Copy the certificate into the machine (IIS Hosted).
    4. Delete the certificate from HeathVault Application Manager. Make sure that you have copied the certificate.
    5. Run c:\Program Files\Microsoft HealthVault\SDK\Tools\ComputerCertificates.msc.
    6. Import the certificate into Personal > Certificates folder using All Tasks > Import.
    7. Browse the certificate saved in step 3, and make sure that Mark this key as exportable is checked.
    8. Restart HeathVault Application Manager and now you should be able to see the certificate imported.
    9. Right Click on the certificate in HeathVault Application Manager and click on Grant Access to IIS process.

    Granting access to Network Service and IIS(Open Command prompt and point to WinHttpCertCfg tool in the Tools folder that is shipped with the SDK)
    1. WinHttpCertCfg.exe -g -a NetworkService -c Local_Machine\My -s 5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7
    2. winhttpcertcfg.exe -g -a DefaultAppPool -c LOCAL_MACHINE\My -s 5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7

    You can check whether you have got the permissions to the Network service and iis that you have granted with the below command.
    1. winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s WildcatApp-5056c2a3-b9d1-49cc-a0c3-fa9d288c87f7

    If you have mentioned the ApplicationCertificateFileName key in web.config file, then you need to export the certificate from the ComputerCertificates.msc.
    1. Run c:\Program Files\Microsoft HealthVault\SDK\Tools\ComputerCertificates.msc
    2. Right click on the certificate and click on All Tasks > Export and follow the steps to export the certificate name
    3. Now add the key in the web.config file after you export the certificate to the location which you have full permissions:
    <add key="ApplicationCertificateFileName" value="g:\mshealth\Nice App\cert\WildcatApp-3cdc0cea-6008-4c76-9169-36d44c3d63b4.pfx" />
    4. If the certificate has a password, that can be specified with the ApplicationCertificatePassword key in web.config file.

    Run the application and you should be able to run it without any errors

    If you still face issues, please run the trouble shooter that is shipped with the sdk to make sure that there are no errors.

    Please let me know the results.

     


    -Mahesh
    Monday, May 31, 2010 2:05 PM
  • Thanks  Mahesh,

    We are tried all above steps but still that issue not solved. we are still received following error:  

    "The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

    Exception Details: System.Security.Cryptography.CryptographicException: An internal error occurred.

    is there any another solution to fix this issue.please help....

    thanks

    Tuesday, June 1, 2010 7:17 AM
  • Hello,

    Could you please run the trouble shooter sample and let me know if you see any errors.


    -Mahesh
    Tuesday, June 1, 2010 8:22 AM
  • hello Mahesh,

    I tried the whole troubleshooter that you described upper, but still same error: Error loading certificate. Is password specified using ApplicationCertificatePassword?

    Any other ideas ?

    Tuesday, July 13, 2010 12:23 PM
  • Could you please check whether you have specified any password for the certificate. If the certificate has a password mentioned, that can be specified with the ApplicationCertificatePassword key in web.config file.
    -Mahesh
    Tuesday, July 13, 2010 1:35 PM
  • hello Mahesh,

    Thank you for replying,

    Yes, i've checked everything. Stuff was: it wasn't neither created or imported correctly. Basically if you put me to do it again now, I couldn't. But, somehow after 100+1 tries, it took the private key and let me add a password, which as you said I added in web.config.

     

    Thank you very much <3

    Wednesday, July 14, 2010 12:59 PM
  • Hi Mahesh,

     

    Can you please look on http://social.msdn.microsoft.com/Forums/eu/healthvault/thread/3473a0c5-9f19-4132-8224-854864d7845f?

    I have still same problem

    Thanks.


    Ferdous
    Thursday, January 20, 2011 2:35 PM
  • What I'm supposed to do if the HealthVaultApplicationManager fails upon PFX export with the following exception:

    See the end of this message for details on invoking 
    just-in-time (JIT) debugging instead of this dialog box.
    
    ************** Exception Text **************
    System.NullReferenceException: Object reference not set to an instance of an object.
      at HealthVaultManager.Form1.RegisterCertificate(String filename)
      at HealthVaultManager.Form1.c_importCertificate_Click(Object sender, EventArgs e)
      at System.Windows.Forms.Control.OnClick(EventArgs e)
      at System.Windows.Forms.Button.OnClick(EventArgs e)
      at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
      at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
      at System.Windows.Forms.Control.WndProc(Message& m)
      at System.Windows.Forms.ButtonBase.WndProc(Message& m)
      at System.Windows.Forms.Button.WndProc(Message& m)
      at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
      at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
      at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
    
    
    ************** Loaded Assemblies **************
    mscorlib
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3620 (GDR.050727-3600)
      CodeBase: file:///c:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
    ----------------------------------------
    ApplicationManager
      Assembly Version: 1.7.2629.6518
      Win32 Version: 1.7.2629.6518
      CodeBase: file:///C:/Program%20Files/Microsoft%20HealthVault/SDK/Tools/ApplicationManager.exe
    ----------------------------------------
    System.Windows.Forms
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
      CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
    ----------------------------------------
    System
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3614 (GDR.050727-3600)
      CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
    ----------------------------------------
    System.Drawing
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
      CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
    ----------------------------------------
    System.Configuration
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
      CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
    ----------------------------------------
    System.Xml
      Assembly Version: 2.0.0.0
      Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
      CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
    ----------------------------------------
    
    ************** JIT Debugging **************
    To enable just-in-time (JIT) debugging, the .config file for this
    application or computer (machine.config) must have the
    jitDebugging value set in the system.windows.forms section.
    The application must also be compiled with debugging
    enabled.
    
    For example:
    
    <configuration>
      <system.windows.forms jitDebugging="true" />
    </configuration>
    
    When JIT debugging is enabled, any unhandled exception
    will be sent to the JIT debugger registered on the computer
    rather than be handled by this dialog box.
    
    
    
    Friday, June 3, 2011 3:56 PM
  • Hi,

    Please try to export the private key directly from the certificate store. I am not able to reproduce the issue.

    Thank you,


    Anish Ravindran
    Friday, June 3, 2011 7:51 PM
  • The PFX file I'm tryin to import is closed with password. How can I do import via Application Manager?
    Sunday, June 26, 2011 8:44 AM
  • Hello Senglory,

    You can not import the certificate which is tied with password through Application Manager. You can only import that certificate through certificate store. Please look into my blog(section:Using application certificate file) for importing PFX file through certificate store.

    If you have further issues please create new thread, so that it will be tracked better.

    Hope this helps.

    Regards,

    Madan Kamuju



    • Proposed as answer by Madan kamuju Monday, June 27, 2011 9:50 AM
    Monday, June 27, 2011 9:49 AM
  • I have tried all those steps in details and I still get an error.

    The specified certificate, CN=WildcatApp-3ab01d55-b9c0-4f49-911e-c23561e2a69d, could not be found in the LocalMachine certificate store,or the certificate does not have a private key.

    The certificate is running on other computers, the error only occurs on mine. There is no password on the certificate.
    I am completely out of ideas what else could be wrong!

    Any ideas would be very appreciated

    Tuesday, December 6, 2011 12:46 PM
  • It would be better to open a new thread when you have a problem rather than resurrecting an old one.

    It would be good to do the following:

    1. start up certmgr and find the certificate. Verify that it has a public key (one way to do this is to try to export it and see whether exporting the private key is an option; if it isn't, you only have a public key.
    2. If you are running IIS, verify that the appropriate service can access the certificate. You can do this with the SDK application manager utility.

    Another option is to switch your application to file-based certificates; then the certificate doesn't need to be installed.

    Tuesday, December 6, 2011 5:49 PM