Invalid User Encryption.DecryptRSAUTF8 exception: Keyset does not exist

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All



    Users receive "Invalid User" and are unable to logon to a realm and the Error log will contain the following error: 

    Encryption.DecryptRSAUTF8 exception: Keyset does not exist


     A slightly different version of this error can be seen Encryption.DecryptRSAUTF8 exception: Object reference not set to an instance of an object here


    The identity that the realm is running under (e.g. NETWORK SERVICE, SecureAuth0Pool etc.) lacks READ permission to the private key of the realm certificate, or the private key is missing.



    1. Open the IdP admin console and go to the System Info tab of the realm in question.
    2. Scroll down to the License Info section and make a note of the Cert Serial Nbr:
    3. Open the Certificates console on the IdP from the Start Menu
    4. Now locate the certificate with the matching serial number:
    5. Double click the certificate and check that a private key exists:
    6. Right Click the certificate | All Tasks | Manage Private Keys
    7. Grant Read Access to the following accounts:
              NETWORK SERVICE
              Authenticated Users
              SecureAuth0Pool  (Typed as IIS AppPool\SecureAuth0Pool)
    8. It's possible that some Realms run in non-standard App Pools in IIS and additionally the App Pools may run with different identities than those specified above.  To check for this open IIS Manager and Click on Application Pools in the left hand pane.
    9. Check that realms are assigned to the correct application pool by right clicking each pool | View Applications and correct as necessary.
    Most realms (1 to 998) run under the .NET v4.5 pool using NETWORK SERVICE as the identity. 
    Exceptions to this are SecureAuth0, Admin and IdpConfigurator, these run under SecureAuth0Pool or realms which have been configured to run under custom application pools.
    10. If custom application pools and/or identities are in use then add the respective identity to the private key permissions in Step 7.  Application pools running as ApplicationPoolIdentity can be added by prefixing the application pool name with IIS AppPool\
    e.g. IIS AppPool\MyAppPoolName

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

    0 out of 0 found this helpful


    1 comment
    • Double check the permissions on the cert, verify it has the Secureauth0pool, network service and authenticated users. I would remove it and re add it. I bumped into this issue, but when I removed the permissions then re-added them, everything began to work. 

      Comment actions Permalink

    Please sign in to leave a comment.