Error When Using My Own .PFX File

I have taken the provided MVC examples and have been able to create my own limited Service Provider code that will accept the token from the included MVC Identity Provider. Everything works fine as long as I use the sp.pfx/sp.cer provided with the examples. If I use my own .pfx and .cer files exported from the Certificates add-in in MMC, I get a SAMLCertificateException: The X.509 certificate could not be loaded from the file C:\Dev\TFS\ApplicationServices.…\bhaynes.pfx. The InnerException is a CryptographicException: Access denied.

I have tried setting permissions for the DefaultAppPool user on the MachineKeys folder. The permissions on the bhaynes.pfx folder in the file path above (the virtual dir where the service provider code is running) are the same as those for the sp.pfx file and both are in the same folder.

My environment is Windows 8.1 Pro, MVC 4, .Net 4.5. The Identity Provider example is published to a folder in the local IIS. The Service Provider code I have written runs from a virtual directory, also set up on the local IIS.

Please take a look at the following topic. The most likely cause is that the permissions haven’t been set for the private key. The topic describes setting permissions for the private key.

I have given the DefaultAppPool user, the IIS_IUSRS user, and the Everyone group Read access to the PFX file. I have given the DefaultAppPool user, the IIS_IUSRS user, and the Everyone group Modify access to the MachineKeys folder. I am receiving the CryptographicException: Access denied when running this code:
X509Certificate2 x509Certificate = new X509Certificate2(rawData, password, X509KeyStorageFlags.MachineKeySet);
Where rawData is a byte array of the contents of the PFX file read by using File.ReadAllBytes.

I had to take ownership of the MachineKeys folder using an Administrative command line before I could set permissions on it without getting errors, but that has been done now.

I think I’ve followed the instructions in the article that you linked to, but it still isn’t working. I also don’t understand how, if it is related to permissions, why the sp.pfx file included with the examples works fine when located in the same folder and with the same permissions.

Any help would be appreciated.

As an experiment, could you try giving the everyone group full permissions to the MachineKeys folder?
Also, try giving the everyone group full permissions to the associated key container folder under the MachineKeys folder.
If doing the above works then you can limit the permissions as required.
I'm not sure why there's an issue with this particular pfx file. I know that we see this permissions issue on some machines but not others but I'm not sure why.

I gave the Everyone group Full Control of the MachineKeys folder and everything within it. That still didn’t solve the issue.
I made a new key using the instructions in section 13.1 of the developer guide. The new key that I created is working fine, so I will proceed with that. There must be something wrong with the key that I exported from the Certificates snap-in. Hopefully I won’t run into issues with the real keys on our QA and production servers.


I’m glad you got it working and thanks for letting me know.
Normally there isn’t an issue with certificates and permissions so hopefully you won’t have any issues in QA and production.
The other option to consider is to store the certificate(s) in the Windows Certificate store rather than in a PFX file.
We support certificates loaded from either a PFX/CER file or the Windows Certificate store.
Setting permissions in the Windows Certificate store is a little more straightforward.