Version Affected: All
Description:
When accessing a SAML realm, the Users see an error "Error has been logged" this message is generic and can be caused by several different reasons.
Looking in the error logs will usually reveal the cause.
For example:
SAML20SPInit exception error: Keyset does not exist , stack: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at MFC.WebApp.SecureAuth.SAML20SPInit.SendSAMLResponse(SAMLResponse samlResponse, String relayState, String assertionConsumerServiceURL, String userID) at MFC.WebApp.SecureAuth.SAML20SPInit.Page_Load(Object sender, EventArgs e)
Cause:
We cannot access the SAML signing certificate private key. Either it is missing or we do not have permission to use it.
This typically happens on Windows SSO realms but can happen on regular realms too.
Resolution:
1. On the Post Auth tab, check which certificate is in use for the SAML signing
2. Open the Certificates Console (Certlm.msc)
3. Check this certificate exists on this Server.
4. Assuming the certificate does exist, right click and select All Tasks | Manage Private Keys
5. For regular realms, we need IIS AppPool\SecureAuth0Pool and Network Service to have read rights
6. If you're using Windows SSO, Authenticated Users need read permissions
7. If your AppPool is running as a non-standard identity, this will need read permissions
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.