The X.509 certificate with find type: FindBySerialNumber and find value:could not be found in the X.509 store LocalMachine

chshahidkhan · July 12, 2018, 1:40am

Hi,
I am getting this exception only with LogOut request:
Exception: ComponentSpace.SAML2.Exceptions.SAMLCertificateException: The X.509 certificate with find type: FindBySerialNumber and find value:could not be found in the X.509 store LocalMachine.
ComponentSpace.SAML2 Verbose: 0 : 3872/6: 7/11/2018 9:19:14 AM: at ComponentSpace.SAML2.Certificates.CertificateLoader.LoadCertificateFromStore(StoreLocation storeLocation, X509FindType findType, Object findValue)
at ComponentSpace.SAML2.Certificates.CachedCertificateLoader.LoadCertificateFromStore(StoreLocation storeLocation, X509FindType findType, Object findValue)
at ComponentSpace.SAML2.Certificates.CertificateManager.LoadCertificate(String certificateFile, String certificatePassword, String certificatePasswordKey, StoreLocation storeLocation, String certificateSerialNumber, String certificateThumbprint, String certificateSubject)

This is thrown only with the LogOut reuqest. LogIn request works without any problem.
Have made sure the certificate exist LocalUser(IIS_Usr, IUSR) has read access. There is no duplicate in my store on localMachine.
Have also tried by using LocalCertificateThumbprint and LocalCertificateSubject without any success.

Thanks.

ComponentSpace · July 12, 2018, 1:58am

Please be careful that the serial number string doesn’t include any hidden Unicode characters (eg BOM at the beginning of the string).
This can occur if you copy/paste from the certificate properties.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

chshahidkhan · July 12, 2018, 4:36am

[quote]

ComponentSpace - 7/12/2018

Please be careful that the serial number string doesn't include any hidden Unicode characters (eg BOM at the beginning of the string).
This can occur if you copy/paste from the certificate properties.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

[/quote]

Thanks.
Mail sent.

ComponentSpace · July 12, 2018, 8:25am

Thanks.
I don’t see any obvious issues other than it can’t find the certificate.
Did you copy/paste the serial number from the certificate properties into the SAML configuration?
If so, please try typing the serial number to avoid the hidden Unicode characters I mentioned.
Is the certificate under Local Machine > Personal > Certificates as displayed by the Certificates MMC snap-in?

chshahidkhan · July 13, 2018, 6:28am

[quote]

ComponentSpace - 7/12/2018

Thanks.
I don't see any obvious issues other than it can't find the certificate.
Did you copy/paste the serial number from the certificate properties into the SAML configuration?
If so, please try typing the serial number to avoid the hidden Unicode characters I mentioned.
Is the certificate under Local Machine > Personal > Certificates as displayed by the Certificates MMC snap-in?

[/quote]

Thanks for you reply.
Even typing-in the serial number didn't make any difference. Same error (Only when SingOut)
Yes, it's under LocalMachine-> Personal.

Any further thoughts ?

ComponentSpace · July 13, 2018, 9:34am

Please create a console application with the following code.
This will list the certificates.
Confirm that the certificate is listed.

static void Main(string[] args)
{
var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

x509Store.Open(OpenFlags.ReadOnly);

foreach (X509Certificate2 x509Certificate in x509Store.Certificates)
{
Console.WriteLine($“Subject: {x509Certificate.Subject}”);
Console.WriteLine($“Serial number: {x509Certificate.SerialNumber}”);
Console.WriteLine($“Thumbprint: {x509Certificate.Thumbprint}”);
Console.WriteLine();
}

x509Store.Close();
}

chshahidkhan · July 17, 2018, 2:34am

[quote]

ComponentSpace - 7/13/2018

Please create a console application with the following code.
This will list the certificates.
Confirm that the certificate is listed.

static void Main(string[] args)
{
var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

x509Store.Open(OpenFlags.ReadOnly);

foreach (X509Certificate2 x509Certificate in x509Store.Certificates)
{
Console.WriteLine($"Subject: {x509Certificate.Subject}");
Console.WriteLine($"Serial number: {x509Certificate.SerialNumber}");
Console.WriteLine($"Thumbprint: {x509Certificate.Thumbprint}");
Console.WriteLine();
}

x509Store.Close();
}

[/quote]

Thanks for your reply.
Yes, i can confirm that the correct certificates are listed using the above code.

ComponentSpace · July 17, 2018, 4:54am

We simply use X509Store.Certificates.Find to find the certificate by serial number etc.
I can’t explain why this isn’t working if the above code is showing the expected serial numbers etc.
Please try installing one of the PFX certificate files we ship into the certificate store, specifying this by serial number in your SAML configuration, and emailing us the SAML log file showing this certificate failing.
Also include the output from running the above code so the serial number can be cross checked.

chshahidkhan · July 17, 2018, 7:09am

[quote]

ComponentSpace - 7/17/2018

We simply use X509Store.Certificates.Find to find the certificate by serial number etc.
I can't explain why this isn't working if the above code is showing the expected serial numbers etc.
Please try installing one of the PFX certificate files we ship into the certificate store, specifying this by serial number in your SAML configuration, and emailing us the SAML log file showing this certificate failing.
Also include the output from running the above code so the serial number can be cross checked.

[/quote]

Could it be a permission issue ? Our application pool is running with NetworkService user while the above code ran with logged-in system user context.
Thanks

ComponentSpace · July 17, 2018, 7:44pm

It’s possible but usually you get an access permission exception.
In the Advanced Settings for your application pool, do you have Load User Profile set to true?

chshahidkhan · July 18, 2018, 1:51am

[quote]

ComponentSpace - 7/17/2018

It's possible but usually you get an access permission exception.
In the Advanced Settings for your application pool, do you have Load User Profile set to true?

[/quote]

Changing "Load User Profile" to True didn't make any difference unfortunately.
Still the same problem. Sign works - no problem but signout didn't , returns the blank screen with errors in the IDP log as shared earlier.

ComponentSpace · July 18, 2018, 2:02am

Is the signing certificate in the Windows certificate store and specified by serial number?
Could you please email another log file showing the successful signature generation and failed signature verification?

ComponentSpace · July 18, 2018, 2:12am

Please try the following code from a console application.
Update the serialNumber below.
This is the equivalent code to what the product is doing when running the SAML API.

var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

x509Store.Open(OpenFlags.ReadOnly);

// TODO - update serial number
var serialNumber = “DF5862E0F6E7768044D4E649DEB5CB94”;

Console.WriteLine($“Searching for certificate with serial number {serialNumber}.”);

var x509CertificateCollection = x509Store.Certificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);

if (x509CertificateCollection != null && x509CertificateCollection.Count > 0)
{
foreach (X509Certificate2 x509Certificate in x509CertificateCollection)
{
Console.WriteLine($“Subject: {x509Certificate.Subject}”);
Console.WriteLine($“Serial number: {x509Certificate.SerialNumber}”);
Console.WriteLine($“Thumbprint: {x509Certificate.Thumbprint}”);
Console.WriteLine();
}
}
else
{
Console.WriteLine($“Certificate with serial number {serialNumber} not found.”);
}

x509Store.Close();

chshahidkhan · July 18, 2018, 6:50am

[quote]

ComponentSpace - 7/18/2018

Please try the following code from a console application.
Update the serialNumber below.
This is the equivalent code to what the product is doing when running the SAML API.

var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

x509Store.Open(OpenFlags.ReadOnly);

// TODO - update serial number
var serialNumber = "DF5862E0F6E7768044D4E649DEB5CB94";

Console.WriteLine($"Searching for certificate with serial number {serialNumber}.");

var x509CertificateCollection = x509Store.Certificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);

if (x509CertificateCollection != null && x509CertificateCollection.Count > 0)
{
foreach (X509Certificate2 x509Certificate in x509CertificateCollection)
{
Console.WriteLine($"Subject: {x509Certificate.Subject}");
Console.WriteLine($"Serial number: {x509Certificate.SerialNumber}");
Console.WriteLine($"Thumbprint: {x509Certificate.Thumbprint}");
Console.WriteLine();
}
}
else
{
Console.WriteLine($"Certificate with serial number {serialNumber} not found.");
}

x509Store.Close();

[/quote]

Thanks.
The code does return the certificate. However, I assume it should have listed without any issues because it runs in current (logged-in) user context NOT as NetworkService.

ComponentSpace · July 18, 2018, 6:54pm

As an experiment just to confirm it’s related to the user context, please run the same code in your web application.
We don’t see issues accessing the Windows certificate store from web application running under IIS so there must be something a little different about your setup.
It should run under the default application pool (DefaultAppPool) with the default settings.
Have you tried running under the Identity of ApplicationPoolIdentity as shown in the advanced settings screenshot?