.NET Framework Bookmark and Share   
 index > Claims based access platform (CBA), code-named Geneva > Keyset does not exist
 

Keyset does not exist

I tried to go through the Identity Developer Training Kit but unfortunately couldn't solve the following issue.


I start Visual Studio (with admin rights), load "ClaimsEnableWebSiteEx01/End" and deploy the project to IIS by clicking Ctrl+F5. The server makes a redirection to Login.aspx showing the "Login to the STS" for Adam Carter. :-)

Once I click the Submit button a yellow screen appears in the browser:

"CryptographicException: Keyset does not exist"

IIS runs with the STSTest certificate binded to https port 443 (as explained in SamplesReadMe.htm point 4). So what's wrong with that keyset? 

[CryptographicException: Der Schlüsselsatz ist nicht vorhanden.

]


   System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +369

   System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +151

   System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85

   System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +280

   System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +468

   System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() +64

   System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) +22

   Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(SecurityKey signingKey) +522

   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.ComputeSignature() +187

   Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.OnEndRootElement() +253

   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.WriteAssertion(XmlWriter writer, SamlAssertion assertion) +839

   Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.WriteTokenCore(XmlWriter writer, SecurityToken token) +379

   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteRSTRXml(XmlWriter writer, String elementName, Object elementValue, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants) +932

   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +477

   Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.WriteKnownResponseElement(RequestSecurityTokenResponse rstr, XmlWriter writer, WSTrustSerializationContext context) +70

   Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteResponse(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context, WSTrustResponseSerializer responseSerializer, WSTrustConstantsAdapter trustConstants) +271

   Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13ResponseSerializer.WriteXml(RequestSecurityTokenResponse response, XmlWriter writer, WSTrustSerializationContext context) +121

   Microsoft.IdentityModel.Protocols.WSFederation.WSFederationSerializer.GetResponseAsString(RequestSecurityTokenResponse response, WSTrustSerializationContext context) +182

   Microsoft.IdentityModel.Protocols.WSFederation.SignInResponseMessage..ctor(Uri baseUrl, RequestSecurityTokenResponse response, WSFederationSerializer federationSerializer, WSTrustSerializationContext context) +94

   Microsoft.IdentityModel.Web.Controls.FederatedPassiveTokenService.ProcessSignInRequest(SignInRequestMessage requestMessage) +372

   Microsoft.IdentityModel.Web.Controls.FederatedPassiveTokenService.OnPreRender(EventArgs e) +1621

   System.Web.UI.Control.PreRenderRecursiveInternal() +108

   System.Web.UI.Control.PreRenderRecursiveInternal() +224

   System.Web.UI.Control.PreRenderRecursiveInternal() +224

   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3394

Any help appreciated.

FloAtFokus
Hey FloAtFokus,

What user is the STS app running as? Check that that identity has read permission to the private key of the STSTest cert. I would imagine that the walk through comes w/ a BAT file to set this up correctly. Does it? Did you run it? If so, this might not be it, but I would start w/ that if I were you.

HTH!
Regards,

Travis Spencer
http://travisspencer.com
Travis Spencer
Thanks for your reply but I do not understand your hint. The STS app runs in the DefaultAppPool of my local IIS.
How do I set permissions for the cert?

The IDTK tutorial comes with a "SetupCertificates.cmd" (IdentityDeveloperTrainingKit\Labs\WebSitesAndIdentity\Setup\Scripts\) Running that script (as admin) leads to the following message:

Importing [...]\STSTest.pfx to Local Machine MY store, please wait...
1 certificate(s) successfully imported.

Importing [...]\STSTest.pfx to Local Machine TRUSTEDPEOPLE store, please wait...
0 certificate(s) successfully imported.

 ...and the line
winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s STSTestCert -a "NETWORK SERVICE"
... leads to the following message:

Matching certificate:
CN=STSTestCert
Error: No account information was found

How do I import the cert to the TRUSTEDPEOPLE store and how do I grant access to ASP.NET?

PS:
My configuration is
- 64 bit system
- Windows 7 Enterprise
- IIS 7.5
- VS 2008 Prof Edition
  • Edited byFloAtFokus Wednesday, August 19, 2009 8:14 AM
  •  
FloAtFokus
I granted access to the IIS APPPOOL (== Network Service in IIS 7.5) by running

winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s STSTest -a "IIS APPPOOL"


winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s STSTest

--> "Additional accounts and groups with access to the private key include
...
IIS APPPOOL\IIS APPPOOL
"

...but unfortunately the error still occurs :-(
FloAtFokus
Hey FloAtFokus,

I Googled around for that HRESULT and reflectored the code in the stack trace above. I would say that I'm 95% certain that it's one of three things:

  1. The perms on the private key are missing.
  2. The cert itself is missing or in the wrong place.
  3. The key isn't trusted, causing it to not be found . If the cert is there and the perms on the private key are in place, but it's untrusted, accessing it will result in nothing valid being found.
Given the output from the CMD file above and your winhttpcertcfg output, I would say the last one is most likely.

To fix this, open the MMC and add the Certificates snap-in for the local computer account. Then import STSTest.pfx into the Trusted Root Certification Authorities store and grant "IIS APPPOOL" read access.

HTH!

Regards,

Travis Spencer
http://travisspencer.com
Travis Spencer
I granted access to "DefaultAppPool" and the error message of IIS changed. It's a little bit less now :-)

CryptographicException: File not found

What file????

Did anybody got these Identity Developer Training Kit Exercises running?


[CryptographicException: Das System kann die angegebene Datei nicht finden.
]
System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) +681
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Encode(Byte[] value) +35
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +74
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.Serialize(SessionSecurityToken sessionToken) +766
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) +200
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) +75
Microsoft.IdentityModel.Web.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) +128
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +383
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +247
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
FloAtFokus
Hi FloAtFokus,
the first thing I would suggest would be verifying that your Geneva Framework installation works properly. You should NOT need to do any of the permission work mentioned in the thread, the Geneva Framework takes care of that regardless of the presence of the Kit.
Try to run some SDK samples (for example "Simple Claims Aware Web Application", don't forget to read "SamplesReadMe.htm" and apply the prerequisites) and see if it works for you; if it does, try creating a web site and adding a local STS to it (via right click/modify STS Reference...). If those two simple tasks work as expected, chances are that the training kit will work as well: if they don't, I would suggest repeating the framework installation (making sure that your system meets all the prerequisites).
HTH,

Vittorio
Vittorio Bertocci - MSFT
You should NOT need to do any of the permission work mentioned in the thread
I'm confused, Vittorio. Why do you say this?

Regards,

Travis Spencer
http://travisspencer.com
Travis Spencer

That's because the installation should have taken care of setting the permissions, you should not be required to do it explicitly yourself.

Vittorio Bertocci - MSFT
Hi!

As your initial error message seems to be partly in german I wonder if you are running on a Windows machine with localization?

In such cases the differens setup scripts in both the WIF SDK samples and in the training kit refers to the "NETWORK SERVICE" account and you need to modify all of these to match the localized name for the service account. I had to replace the "NETWORK SERVICE" strings in commands where permissions are assigned in the scripts with "NÄTVERKSTJÄNST" which is the swedish name for the Network Service account.

Edit the SetupCertificates.cmd script placed in the Setup folders of the labsto find and modify the references to the Network Service account. Specifically calls to winhttpcertcfg.exe includes these service account names.

If you in fact are on a german version of Windows you should use the account "NETZWERKDIENST".

Best regards,
Per Salmi
Per Salmi, Software Developer .NET TechnologiesPerSalmi.NET
Per Salmi

You can use google to search for other answers

Custom Search

More Threads

• Geneva suitable for securing both web and desktop application access?
• Setup Error running 'GenevaServer.amd64.msi'
• How to define a desired life time in the security token request
• FederationPassive redirect issue
• Error creating a ASP.NET Security Token Service Web Site
• Can Identity be misused in CardSpace/InfoCard?
• MS SQL Reporting Services
• Custom ClaimsAuthenticationManager and web services - Thread.CurrentPrincipal not set - fails in Beta 2 or just not implemeted?
• Geneva and ILM 2.0 and AzMan
• Geneva Server uses local time for ValidTo/ValidFrom attributes of RelyingParties
Home          Copyright 2009-2010 by netframeworkdev.com All rights reserved