ComponentSpace

Forums



Random Keyset Does Not Exist Error


Random Keyset Does Not Exist Error

Author
Message
AndyCarter
AndyCarter
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 15
We're experiencing a random "Keyset does not exist" error when running an MVC app in Azure that is scaled across multiple instances. The error is 

System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at ComponentSpace.SAML2.InternalSAMLIdentityProvider.CreateSAMLResponse(String userName, SAMLAttribute[] attributes, Status status, String assertionConsumerServiceUrl) at ComponentSpace.SAML2.InternalSAMLIdentityProvider.SendSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, Status status, String assertionConsumerServiceUrl) at ComponentSpace.SAML2.SAMLIdentityProvider.SendSSO(HttpResponseBase httpResponse, String userName, IDictionary`2 attributes)

This error doesn't occur for all users, and seems to affect people at random.

From searching for further info, the vast majority of relavent information to try to fix the issue invovle either changing the account the web app runs under or changing the way the certificate is opened.
In Azure, we can't change the account for the app, and the cert is opened internally by the component.

Any pointers or assistance gratefully received.

Many thanks
Regards
Andy
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Andy
It's most likely a permissions issue accessing the private key.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option to consider is to store the certificate in the Windows certificate store rather than on the file system.

Regards
ComponentSpace Development
AndyCarter
AndyCarter
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 15
ComponentSpace - 5/4/2017
Hi Andy
It's most likely a permissions issue accessing the private key.
Please take a look at the following forum post.
http://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
The other option to consider is to store the certificate in the Windows certificate store rather than on the file system.

Hi there,

Thanks for the reply, however with an Azure Web App we don't have access to the file system and just have console or FTP access to the published Web App files. Nor is there a machine we can log into to do anything with a cert store, or change any permissions.

We are using the High Level API - even though the linked post refers to explicitly opening the cert in global.asax for the Low Level API, should we also try this for the High Level API? Another option that may be available to us is to use Azure to store the certs and consume them in our Web Apps - https://azure.microsoft.com/en-in/blog/using-certificates-in-azure-websites-applications/ - presumably we'd need to load the certs in global.asax in this case, even though we're using the High Level API?

Best regards
Andy

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Andy
That article refers to storing certificates in the Windows certificate store although it doesn't explicitly state this.
In your SAML configuration (eg saml.config file) you can specify certificates stored in the Windows certificate store.
These can be referenced by subject name, serial number or thumbprint.
Please note that the store location must be set to CurrentUser. The default is LocalMachine.
For example:

<IdentityProvider
    LocalCertificateSerialNumber="1234"
    LocalCertificateStoreLocation="CurrentUser"




Regards
ComponentSpace Development
AndyCarter
AndyCarter
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 15
ComponentSpace - 5/4/2017
Hi Andy
That article refers to storing certificates in the Windows certificate store although it doesn't explicitly state this.
In your SAML configuration (eg saml.config file) you can specify certificates stored in the Windows certificate store.
These can be referenced by subject name, serial number or thumbprint.
Please note that the store location must be set to CurrentUser. The default is LocalMachine.
For example:

<IdentityProvider
    LocalCertificateSerialNumber="1234"
    LocalCertificateStoreLocation="CurrentUser"



Just to provide some feedback, we were able to resolve this issue by uploading the certificate to the cert store for the web app in the Azure Portal, and reference it by the thumbprint.
https://azure.microsoft.com/en-gb/blog/using-certificates-in-azure-websites-applications/ provide details on this - although it shows using the old Azure portal in the article, it was quite easy to translate this to the newer Azure Portal when implementing.

Thank you for your help!
Best regards,
Andy
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks Andy for the additional information.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search