Exception of type 'System.Security.CryptographicException' was thrown. Keyset does not exist.
As many posters have pointed out, it's because reading the primate key to descrypt the STS message failed. There are several reason that the private key cannot be read:
- The private is not available in the right place. For a web application that runs under a service account, it typically reads from the machine's certificate store (Local, My). If the certificate with the private key is not in the machine store, the application process won't find it. Typically application can be configured to use the service account's certificate store too. If that's the case, you must login as the service account, and make sure the certificate is in the Current User store of the service account.
- The private key itself has problems. Most often in development, it is because the self-generated certificate is not trusted on the server itself.
- The private key is good and in the right place, but the process identity doesn't have read access to it. Now this is the most common and most difficult cause. The private keys of the certificates in the Macine Store are stored in the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys on Windows 2008 and Windows 7. What is confusing is that it's not the whole folder that the process identity needs access to (An admin user can't set permissions on this folder by default anyway), it's the specific private key file that the permission should be granted upon. Identifying the correct private key file proves to be a tricky thing. If the server has few certificate related activities, you can guess that the file with the most current date is the one you need. Otherwise, we need a tool called FindPrivateKey, which is in the WCF Examples download provided by Microsoft: http://msdn.microsoft.com/en-us/library/aa717039.aspx Then grant at least read permission on the file to the process identity. The error should go away.
No comments:
Post a Comment