OpenID server_error: An error was encountered. "Error occurred during a cryptographic operation."

Follow
    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All

    Description:  

    When a User logs into an OpenID app for the first time, it works fine.

    However, subsequent logins result in hitting a 2nd IdP and they see Server_Error

     

    The Debug log shows

     

    LogChannel="SA_DEBUG" FormatVersion="0.0.1" EventID="40999" Timestamp="2022-09-14T17:21:21.715Z" CompanyID="" ApplianceID="" Realm="" UserID="" BrowserSession="07427dfe-33f2-4297-83a3-914275be00ac" StateMachineID="" RequestID="b7e6d4ee-06dd-4e86-a905-df3a47be2ba2" UserHostAddress="" Message="[AuthorizeEndpoint].[ProcessConsent]: Exception: System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
    at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input)
    at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
    at SecureAuth.IdentityModel.OpenIDConnect.Handlers.AuthorizeEndpointHandler.GetCookieAuthenticationTime()
    at SecureAuth.IdentityModel.OpenIDConnect.Handlers.AuthorizeEndpointHandler.ProduceResponseContent()
    at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.DeliverResponseContent()
    at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.ProcessConsent()"

     

    Cause:  

    We create a Cookie at the time of first login. The secondary IdP's are unable to read it because the realms Machinekey setting is set to "Isolate Apps"

     

    Resolution:  

    Generate the MachineKeys so that the Cookie works across all IdPs.

    1. Open the Admin Console

    2. Navigate to the PostAuth tab of the OpenID realm

    3. Click on the "Click here to edit FormsAuth/SSO

    4. Scroll to the Machine Keys section and click Generate

    5. Click Save. 

     

     

     

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.