We updated library from version 2.8.0.0 for .Net 4 to version 2.8.5.0 for .Net 4.6 and now we are getting an exception when trying to log in.
Trace messages are the following:
2017-10-04 08:58:32.1335 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Enabling support for SHA-256, SHA-384 and SHA-512 signatures.
2017-10-04 08:58:32.1335 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Verifying the SAML response signature.
2017-10-04 08:58:32.1508 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Retrieving the signature certificates for the partner identity provider ********.
2017-10-04 08:58:32.1508 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Loading the X.509 certificate from the file ********.cer.
2017-10-04 08:58:32.1647 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The X.509 certificate with subject name ******** has been loaded.
2017-10-04 08:58:32.1647 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The X.509 certificate with subject name ******** has been cached.
2017-10-04 08:58:32.1803 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The X.509 certificate with subject name ******** is being used to verify the XML signature.
2017-10-04 08:58:32.1803 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Verifying the XML signature.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Failed to verify the XML signature.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Signed XML: *******
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The X.509 certificate with subject name ******** is embedded in the XML signature.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The verifying key type is RSACng.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: The verifying key’s associated cryptographic service provider, “Microsoft Software Key Storage Provider”, doesn’t support SHA-256 signatures.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: Exception: ComponentSpace.SAML2.Exceptions.SAMLSignatureException: The SAML response signature failed to verify.
2017-10-04 08:58:32.1959 | TRACE | ComponentSpace.SAML2 | 4996/11: 10/4/2017 8:58:32 AM: at ComponentSpace.SAML2.InternalSAMLServiceProvider.VerifySAMLResponseSignature(XmlElement samlResponseElement)
…
Exception is thrown only on production when running under Windows Server 2012 R2. When it is running on local computer with Windows 10 all is good.
On local computer there is one difference in trace:
2017-10-04 10:42:07.1517 | TRACE | ComponentSpace.SAML2 | 8796/11: 10/4/2017 10:42:07 AM: SHA-256, SHA-384 and SHA-512 signature support is already enabled.
Does the certificate match the embedded certificate?
The X.509 certificate with subject name ******** is being used to verify the XML signature.
The X.509 certificate with subject name ******** is embedded in the XML signature.
These should be the same certificate (ie same serial numbers).
If they are the same, could you try the .NET 4.0 version of the SAML2 DLL?
The X.509 certificate with subject name ******** is being used to verify the XML signature.
The X.509 certificate with subject name ******** is embedded in the XML signature.
These should be the same certificate (ie same serial numbers).
If they are the same, could you try the .NET 4.0 version of the SAML2 DLL?
It is the same certificate, the same application, the same response. If they were different - it wouldn't work on local computer, would it?
We had licensed version of previous library, but there was a bug in it. So, we installed trial the latest version, it was 2.8.0.0. Then we bought licensed and we got 2.8.5.0 which doesn't work.
Could we download licensed .NET 4 version somewhere?
The .NET 4.0 version of the DLL is under the bin\dotNET40 folder. You should have this already.
Thanks, it works. But it is better to know what is root of the problem to solve it when we really need to update .NET version and library respectively.
The .NET 4.6 version uses the new X509Certificate2 methods GetRSAPrivateKey and GetRSAPublicKey.
These return RSACng objects.
The .NET 4.0 versions uses the X509Certificate2 properties PrivateKey and PublicKey.
These return RSACryptoServiceProvider objects.
The RSACng class is new to .NET 4.6 and has an advantage over RSACryptoServiceProvider for signature generation in that it will select the best available cryptographic service provider (CSP) rather than the CSP initially associated with the private key. This provides for better support for SHA-2 signatures.
We’re not sure why on some systems the .NET 4.6 version is causing issues.
We suspect it’s either an issues with the RSACng class or the underlying Windows crypto API.
We don’t believe it’s an issue in our code and unfortunately it’s not something we’ve been able to reproduce.
Is your Windows 2012 R2 server up to date? I assume it is but thought I better ask.
These return RSACng objects.
The .NET 4.0 versions uses the X509Certificate2 properties PrivateKey and PublicKey.
These return RSACryptoServiceProvider objects.
The RSACng class is new to .NET 4.6 and has an advantage over RSACryptoServiceProvider for signature generation in that it will select the best available cryptographic service provider (CSP) rather than the CSP initially associated with the private key. This provides for better support for SHA-2 signatures.
We're not sure why on some systems the .NET 4.6 version is causing issues.
We suspect it's either an issues with the RSACng class or the underlying Windows crypto API.
We don't believe it's an issue in our code and unfortunately it's not something we've been able to reproduce.
Is your Windows 2012 R2 server up to date? I assume it is but thought I better ask.
Probably, it is not. I'll try to update it and then answer. Thanks for advice.
Thanks. I’m keen to hear how you go.