We’re experiencing a random “Keyset does not exist” error when running an MVC app in Azure that is scaled across multiple instances. The error is
System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider…ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at ComponentSpace.SAML2.InternalSAMLIdentityProvider.CreateSAMLResponse(String userName, SAMLAttribute[] attributes, Status status, String assertionConsumerServiceUrl) at ComponentSpace.SAML2.InternalSAMLIdentityProvider.SendSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, Status status, String assertionConsumerServiceUrl) at ComponentSpace.SAML2.SAMLIdentityProvider.SendSSO(HttpResponseBase httpResponse, String userName, IDictionary attributes)
This error doesn’t occur for all users, and seems to affect people at random.
From searching for further info, the vast majority of relavent information to try to fix the issue invovle either changing the account the web app runs under or changing the way the certificate is opened.
In Azure, we can’t change the account for the app, and the cert is opened internally by the component.
Any pointers or assistance gratefully received.
Many thanks
Regards
Andy
Hi Andy
It’s most likely a permissions issue accessing the private key.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option to consider is to store the certificate in the Windows certificate store rather than on the file system.
[quote][/quote]
Hi Andy
It's most likely a permissions issue accessing the private key.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option to consider is to store the certificate in the Windows certificate store rather than on the file system.
It's most likely a permissions issue accessing the private key.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option to consider is to store the certificate in the Windows certificate store rather than on the file system.
Hi there,
Thanks for the reply, however with an Azure Web App we don't have access to the file system and just have console or FTP access to the published Web App files. Nor is there a machine we can log into to do anything with a cert store, or change any permissions.
We are using the High Level API - even though the linked post refers to explicitly opening the cert in global.asax for the Low Level API, should we also try this for the High Level API? Another option that may be available to us is to use Azure to store the certs and consume them in our Web Apps - https://azure.microsoft.com/en-in/blog/using-certificates-in-azure-websites-applications/ - presumably we'd need to load the certs in global.asax in this case, even though we're using the High Level API?
Best regards
Andy
Hi Andy
That article refers to storing certificates in the Windows certificate store although it doesn’t explicitly state this.
In your SAML configuration (eg saml.config file) you can specify certificates stored in the Windows certificate store.
These can be referenced by subject name, serial number or thumbprint.
Please note that the store location must be set to CurrentUser. The default is LocalMachine.
For example:
<IdentityProvider
LocalCertificateSerialNumber=“1234”
LocalCertificateStoreLocation=“CurrentUser”
[quote][/quote]
Hi Andy
That article refers to storing certificates in the Windows certificate store although it doesn't explicitly state this.
In your SAML configuration (eg saml.config file) you can specify certificates stored in the Windows certificate store.
These can be referenced by subject name, serial number or thumbprint.
Please note that the store location must be set to CurrentUser. The default is LocalMachine.
For example:
<IdentityProvider
LocalCertificateSerialNumber="1234"
LocalCertificateStoreLocation="CurrentUser"
That article refers to storing certificates in the Windows certificate store although it doesn't explicitly state this.
In your SAML configuration (eg saml.config file) you can specify certificates stored in the Windows certificate store.
These can be referenced by subject name, serial number or thumbprint.
Please note that the store location must be set to CurrentUser. The default is LocalMachine.
For example:
<IdentityProvider
LocalCertificateSerialNumber="1234"
LocalCertificateStoreLocation="CurrentUser"
Just to provide some feedback, we were able to resolve this issue by uploading the certificate to the cert store for the web app in the Azure Portal, and reference it by the thumbprint.
https://azure.microsoft.com/en-gb/blog/using-certificates-in-azure-websites-applications/ provide details on this - although it shows using the old Azure portal in the article, it was quite easy to translate this to the newer Azure Portal when implementing.
Thank you for your help!
Best regards,
Andy
Thanks Andy for the additional information.