Get token using certificate assertion throws keyset does not exist
ashinzekene opened this issue · 3 comments
Which Version of ADAL are you using ?
Note that to get help, you need to run the latest preview or non-preview version
For MSAL, please log issues to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Which platform has the issue?
net45
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- app id - certificate
- Web App
- Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
Is this a new or existing app?
The app is in production, uses the same version of ADAL, but started seeing this issue
Repro
using Microsoft.IdentityModel.Clients.ActiveDirectory;
....
var clientCred = new ClientAssertionCertificate(appId, cert);
var authContext = new AuthenticationContext(authority);
var result = await authContext.AcquireTokenAsync(resource, clientCred);
Actual behavior
throws error
Keyset does not exist
. Exception Stack trace: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.SigningHelper.SignWithCertificate(String message, X509Certificate2 certificate)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.JsonWebToken.Sign(IClientAssertionCertificate credential, Boolean sendX5c)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.ClientKey.AddToParameters(IDictionary`2 parameters)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Do you see this issue starting to happen after the app is running for a while? Does the issue go away if the app is restarted?
Sometimes this is related to a wrong type of certificate being used. Generally we've seen this related to just the way .NET 4.5 deals with crypto operations, which are improved in later versions of .NET. Additionally, in MSAL we have some resiliency features related to cryptography. So, the recommendation is to move to MSAL.NET and/or newer .NET Framework version (probably at least 4.6.2).
It occurred when creating another instance of a service using the same certificate (basically on a diff environment). The certificate works locally.
Thanks, I'd try using an updated version of .NET Framework
Was a permission issue