AzureAD/azure-activedirectory-library-for-dotnet

Get token using certificate assertion throws keyset does not exist

ashinzekene opened this issue · 3 comments

Which Version of ADAL are you using ?
Note that to get help, you need to run the latest preview or non-preview version
For MSAL, please log issues to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet

Which platform has the issue?
net45

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
    • app id - certificate
  • Web App
    • Authorization code
    • OBO
  • Web API
    • OBO

Other? - please describe;

Is this a new or existing app?
The app is in production, uses the same version of ADAL, but started seeing this issue

Repro

using Microsoft.IdentityModel.Clients.ActiveDirectory;

....
var clientCred = new ClientAssertionCertificate(appId, cert);

var authContext = new AuthenticationContext(authority);
var result = await authContext.AcquireTokenAsync(resource, clientCred);

Actual behavior
throws error

Keyset does not exist
. Exception Stack trace:    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.SigningHelper.SignWithCertificate(String message, X509Certificate2 certificate)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.JsonWebToken.Sign(IClientAssertionCertificate credential, Boolean sendX5c)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.ClientKey.AddToParameters(IDictionary`2 parameters)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---

Do you see this issue starting to happen after the app is running for a while? Does the issue go away if the app is restarted?

Sometimes this is related to a wrong type of certificate being used. Generally we've seen this related to just the way .NET 4.5 deals with crypto operations, which are improved in later versions of .NET. Additionally, in MSAL we have some resiliency features related to cryptography. So, the recommendation is to move to MSAL.NET and/or newer .NET Framework version (probably at least 4.6.2).

It occurred when creating another instance of a service using the same certificate (basically on a diff environment). The certificate works locally.

Thanks, I'd try using an updated version of .NET Framework

Was a permission issue