locked
FAM Error / CryptographicException: Keyset does not exist RRS feed

  • Question

  • When my passive STS sends the response back to the relying party, I get this cryptic exception from the rp:

    [CryptographicException: Keyset does not exist ] System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +7712542 System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +67 System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +83 System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +226 System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters) +9 System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +202 System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() +79 System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData) +16 System.IdentityModel.Selectors.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key) +335 System.IdentityModel.Selectors.SecurityTokenResolver.TryResolveSecurityKey(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key) +24 Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader) +221 Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(XmlReader reader) +105 Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas) +162 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(SignInResponseMessage message) +58 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(HttpRequest request) +31 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +51 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +149 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    I am using asp.net impersonation and the impersonated account is a local admin on the IIS server (IIS7 / Win 2008).   I checked my token signining and encrypting certs and the admin group does have permissions to the private keys on those certs so I am not sure why Geneva is unhappy.   Anyone else ran into this?   

    internal static SafeProvHandle CreateProvHandle(CspParameters parameters, bool randomKeyContainer)
    {
        SafeProvHandle invalidHandle = SafeProvHandle.InvalidHandle;
        int hr = _OpenCSP(parameters, 0, ref invalidHandle);
        KeyContainerPermission permission = new KeyContainerPermission(KeyContainerPermissionFlags.NoFlags);
        if (hr != 0)
        {
            if (((parameters.Flags & CspProviderFlags.UseExistingKey) != CspProviderFlags.NoFlags) || ((hr != -2146893799) && (hr != -2146893802)))
            {
                throw new CryptographicException(hr);
            }
            if (!randomKeyContainer)
            {
                KeyContainerPermissionAccessEntry accessEntry = new KeyContainerPermissionAccessEntry(parameters, KeyContainerPermissionFlags.Create);
                permission.AccessEntries.Add(accessEntry);
                permission.Demand();
            }
            _CreateCSP(parameters, randomKeyContainer, ref invalidHandle);
            return invalidHandle;
        }
        if (!randomKeyContainer)
        {
            KeyContainerPermissionAccessEntry entry2 = new KeyContainerPermissionAccessEntry(parameters, KeyContainerPermissionFlags.Open);
            permission.AccessEntries.Add(entry2);
            permission.Demand();
        }
        return invalidHandle;
    }






    • Edited by scott_m Tuesday, May 26, 2009 11:35 PM added more detail
    Tuesday, May 26, 2009 11:21 PM

Answers

  • The exception is coming from the WSFederationAuthenticationModule while processing the Authenticate event. At that point the impersonation has not yet occurred... you are still running as the IIS worker process account.
    • Marked as answer by scott_m Thursday, June 4, 2009 2:21 PM
    Thursday, June 4, 2009 6:00 AM
    Moderator
  • Ok, after much head scratching figured this one out.   Even though my ASP.NET impersonated user is a local admin on the machine, apparently the IIS worker process user must have access to the private key.   Typically this is the Network Service account.   Grant private key permissions to your network service account and it will fix this error.   This seems redundant since the impersonated user already has access to the private key.

    • Marked as answer by scott_m Saturday, May 30, 2009 7:13 PM
    Saturday, May 30, 2009 7:13 PM

All replies

  • Ok, after much head scratching figured this one out.   Even though my ASP.NET impersonated user is a local admin on the machine, apparently the IIS worker process user must have access to the private key.   Typically this is the Network Service account.   Grant private key permissions to your network service account and it will fix this error.   This seems redundant since the impersonated user already has access to the private key.

    • Marked as answer by scott_m Saturday, May 30, 2009 7:13 PM
    Saturday, May 30, 2009 7:13 PM
  • The exception is coming from the WSFederationAuthenticationModule while processing the Authenticate event. At that point the impersonation has not yet occurred... you are still running as the IIS worker process account.
    • Marked as answer by scott_m Thursday, June 4, 2009 2:21 PM
    Thursday, June 4, 2009 6:00 AM
    Moderator
  • Just like to add that I had the same problem running on Windows 7 and resolved it by giving the IIS_IUSRS account read permission on the private key.

    Hope it helps someone.
    Wednesday, January 20, 2010 2:15 PM
  • We ran into this also. Here are the instructions to do it on Windows 2008:

    Give cert private key permission to ASP.NET account

    ·         MMC -> Certificates

    ·         Certificates (Local Computer) -> Personal -> Certificates

    ·         Sts.illumina.com -> (Right-click) -> All Tasks -> Manage private keys

    ·         Add -> Network Service

     


    Chris Calderon
    Wednesday, January 20, 2010 6:32 PM
  • We ran into this also. Here are the instructions to do it on Windows 2008:

    Give cert private key permission to ASP.NET account

    ·         MMC -> Certificates

    ·         Certificates (Local Computer) -> Personal -> Certificates

    ·         Sts.illumina.com -> (Right-click) -> All Tasks -> Manage private keys

    ·         Add -> Network Service

     


    Chris Calderon

    Hi,

    I encountered the same issue on the below exception for Windows Azure application packaged and published to the cloud.

    Keyset does not exist

    I followed the steps above whereby I remote desktop into the cloud server and checked on the permission settings, only has SYSTEM and Administrators. No NETWORK SERVICE user. But after I added NETWORK SERVICE to the private key of the cert, then the problem is solved.

    Is there a way to do this automatically or by some kind of script/batch file in the event if the application on Azure platform got brought down and up again due to maintenance, etc?

     


    Wednesday, September 21, 2011 6:55 AM