Problem Reading .PFX File When Running .Net Core App On Server

I have managed to get SAML authentication working with my company’s IDP in a new .Net Core app (V2.2), but only when running locally out of Visual Studio 2017. When I publish to our Windows server running IIS, the app works fine (home page loads and other pages render properly) but when I try to authenticate I’m getting this error: “.Initiation of SSO to the partner identity provider has failed. The X.509 certificate could not be loaded from the file D:\www\TrainingAppWeb\WebRoot\wwwroot\certificates\sp.pfx”. I have verified that the file was indeed published to the server. Is this a permissions problem?

TIA,

Michael C

Hi Michael,
It’s most likely a permissions error.
Please take a look at the “Certificate File Permissions” section in the Certificate Guide.
The following forum article also has information on certificate file permissions.
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X509-Certificates
If you’re still having problems, you’re welcome to enable SAML trace and send the generated log file to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

[quote]
ComponentSpace - 9/9/2019
Hi Michael,
It's most likely a permissions error.
Please take a look at the "Certificate File Permissions" section in the Certificate Guide.
The following forum article also has information on certificate file permissions.
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X509-Certificates
If you're still having problems, you're welcome to enable SAML trace and send the generated log file to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
[/quote]

I got this working by using a certificate already in the certificate store on the server. The Certificate Guide made this easy to accomplish. Accessing a .pfx file on my PC is easy, as I have full control over it, but the server needed to have a different configuration, and accessing certificates in the existing store made more sense.

Thanks for the update. Yes, using the certificate store often is a better solution. It’s certainly easier to set the permissions on a certificate stored in the certificate store.