locked
Problem hosting my app in IIS RRS feed

  • Question


  • I have seen several posts related to the keyset error below, but I am not having any luck resolving things. I created and installed the certificate using the ApplicationManager that is part of the sdk download. I uploaded the certificate to MS and enabled granted access to the IIS Process. This is a windows 2003 server. I have also run GrantCertificateRights_Win2003.bat using my certificate.

    Even on my local machine I can only get this to work via VS.

    I have loaded my application id in the troubleshooter program. I get this back:

    General Information

    This section details the general environment under which the page is executing.

    OS Microsoft Windows NT 5.2.3790 Service Pack 2
    Machine Name VMDEVWEBSOL01
    Process Name w3wp
    Domain NT AUTHORITY
    Username NETWORK SERVICE
    IIS Version Microsoft-IIS/6.0

    Application ID and certificate information

    This section shows the application ID contained in the web.config file, and information about the certificates that this process can access.

    Application Id 75f8c1d5-c511-4776-a8d5-8eb778c8d32d
    Certificate Found: WildcatApp-75f8c1d5-c511-4776-a8d5-8eb778c8d32d
    Application Id Certificate(WildcatApp-75f8c1d5-c511-4776-a8d5-8eb778c8d32d) cannot be accessed



    Running the line below on the command line indicates that the Network service account has access to the private key (I added a few others during my debugging attempts):

    D:\>winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s WildcatApp-75f8c1d5-c511-4776-a8d5-8eb778c8d32d

    Microsoft (R) WinHTTP Certificate Configuration Tool
    Copyright (C) Microsoft Corporation 2001.

    Matching certificate:
    CN=WildcatApp-75f8c1d5-c511-4776-a8d5-8eb778c8d32d

    Additional accounts and groups with access to the private key include:
        CORP\marcos.elugardo
        NT AUTHORITY\SYSTEM
        BUILTIN\Administrators
        VMDEVWEBSOL01\ASPNET
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
        VMDEVWEBSOL01\IUSR_WIN2K3EE-TEMPLA
        VMDEVWEBSOL01\IWAM_WIN2K3EE-TEMPLA

    The error:
    Keyset does not exist

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
       at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
       at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
       at Microsoft.Health.ApplicationConfiguration.GetSignatureCertRsaProvider(Guid applicationId, RSACryptoServiceProvider& rsaProvider, String& thumbprint)
       at Microsoft.Health.Web.Authentication.WebApplicationCredential.SetupSignatureCertRsaProvider()
       at Microsoft.Health.Web.Authentication.WebApplicationCredential.Initialize(Guid applicationId)
       at Microsoft.Health.Web.Authentication.WebApplicationCredential..ctor(Guid applicationId, String subCredential)
       at Microsoft.Health.Web.WebApplicationUtilities.GetPersonInfo(String authToken)
       at Microsoft.Health.Web.WebApplicationUtilities.HandleTokenOnUrl(HttpContext context, Boolean isLoginRequired)
       at Microsoft.Health.Web.WebApplicationUtilities.PageOnPreLoad(HttpContext context, Boolean logOnRequired)
       at Trizetto.Web.RefApplicationWeb.HealthVaultRedirector.OnPreLoad(EventArgs e)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Any help would be appreciated.
    thanks
    -marcos

    Wednesday, August 13, 2008 7:56 PM

Answers

  • For those interested, I have it working now with help from Eric.

    First, I deleted the certificate using ApplicationManager (in the Tools folder of the sdk install)
    I then imported the .pfx file into the personal store using ComputerCertificates.msc (also in the tools folder).
    I then ran:

    winhttpcertcfg.exe -g -a "Network Service" -c LOCAL_MACHINE\My -s %WC_CERTNAME%

    Where %WC_CERTNAME% is the name of my cerificate

    With these changes, the troubleshooter page now shows that it can access the private certificate with the Network Service account.
    Thursday, August 14, 2008 5:16 PM

All replies

  • For those interested, I have it working now with help from Eric.

    First, I deleted the certificate using ApplicationManager (in the Tools folder of the sdk install)
    I then imported the .pfx file into the personal store using ComputerCertificates.msc (also in the tools folder).
    I then ran:

    winhttpcertcfg.exe -g -a "Network Service" -c LOCAL_MACHINE\My -s %WC_CERTNAME%

    Where %WC_CERTNAME% is the name of my cerificate

    With these changes, the troubleshooter page now shows that it can access the private certificate with the Network Service account.
    Thursday, August 14, 2008 5:16 PM
  • Melugardo's advice is good.  I thought I'd point out a mistake I made to save others the headache.

    The mistake I made was to use the certificate installation wizard to install the certificate.  This wizard opens if you open a pfx file from explorer.  It will put the key into the current user store, I used ComputerCertificates.msc to move it to the local machine store.  For some reason this never worked.  If I imported the pfx file from ComputerCertificates.msc it would work.

    Thursday, January 8, 2009 11:41 PM