Invalid User Encryption.DecryptRSAUTF8 exception: Keyset does not exist


SecureAuth IdP Version Affected:  All



Users receive "Invalid User" and are unable to logon to a realm and the Error log will contain the following error: 

Encryption.DecryptRSAUTF8 exception: Keyset does not exist




The identity that the realm is running under (e.g. NETWORK SERVICE, SecureAuth0Pool etc.) lacks READ permission to the private key of the realm certificate, or the private key is missing.



1. Open the IdP admin console and go to the System Info tab of the realm in question.
2. Scroll down to the License Info section and make a note of the Cert Serial Nbr:
3. Open the Certificates console on the IdP from the Start Menu
4. Now locate the certificate with the matching serial number:
5. Double click the certificate and check that a private key exists:
6. Right Click the certificate | All Tasks | Manage Private Keys
7. Grant Read Access to the following accounts:
          Authenticated Users
          SecureAuth0Pool  (Typed as IIS AppPool\SecureAuth0Pool)
8. It's possible that some Realms run in non-standard App Pools in IIS and additionally the App Pools may run with different identities than those specified above.  To check for this open IIS Manager and Click on Application Pools in the left hand pane.
9. Check that realms are assigned to the correct application pool by right clicking each pool | View Applications and correct as necessary.
Most realms (1 to 998) run under the .NET v4.5 pool using NETWORK SERVICE as the identity. 
Exceptions to this are SecureAuth0, Admin and IdpConfigurator, these run under SecureAuth0Pool or realms which have been configured to run under custom application pools.
10. If custom application pools and/or identities are in use then add the respective identity to the private key permissions in Step 7.  Application pools running as ApplicationPoolIdentity can be added by prefixing the application pool name with IIS AppPool\
e.g. IIS AppPool\MyAppPoolName

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

0 out of 0 found this helpful



Please sign in to leave a comment.