Error serializing the security token. keyset does not exist (Network Steve Forum)

Error serializing the security token. keyset does not exist

Hi,

I am receiving an error "There was an error serializing the security token. " When trying to save the answers to my Password reset Self Service registrations question in the RTM version.

Anyone seen this before?

Matthew

Log Name:      Forefront Identity Manager
Source:        Microsoft.ResourceManagement
Date:          11/03/2010 10:10:15 AM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIMPort1.ebus.root.internal
Description:
System.ServiceModel: System.Xml.XmlException: There was an error serializing the security token. Please see the inner exception for more details. ---> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
   at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
   at System.IdentityModel.Tokens.SamlAssertion.System.IdentityModel.ICanonicalWriterEndRootElementCallback.OnEndOfRootElement(XmlDictionaryWriter dictionaryWriter)
   at System.IdentityModel.SamlDelegatingWriter.OnEndOfRootElement()
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   --- End of inner exception stack trace ---
   at System.IdentityModel.Tokens.SamlAssertion.WriteXml(XmlDictionaryWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.IdentityModel.Tokens.SamlAssertion.WriteTo(XmlWriter writer, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer)
   at System.ServiceModel.Security.WSSecurityJan2004.SamlTokenEntry.WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter writer, SecurityToken inToken)
   at Microsoft.ResourceManagement.WebServices.WSTrust.RequestSecurityTokenResponseType.SetRequestedSecurityToken(SamlSecurityToken samlSecurityToken)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims, Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
   at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft.ResourceManagement" />
    <EventID Qualifiers="0">3</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-03-11T00:10:15.000000000Z" />
    <EventRecordID>785</EventRecordID>
    <Channel>Forefront Identity Manager</Channel>
    <Computer>FIMPort1.ebus.root.internal</Computer>
    <Security />
</System>
<EventData>
    <Data>System.ServiceModel: System.Xml.XmlException: There was an error serializing the security token. Please see the inner exception for more details. ---> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

March 11th, 2010 12:29am

as admin: mmc.exe -> Add cert snap-in --> computer account

make sure the cert u choose is in the Personal Store with the private key associated with it (u can tell that if there is a little key on top left of the icon)
the same cert needs to be in the Trusted People...

also, FIMService service account needs to be able to read the private key

Free Windows Admin Tool Kit Click here and download it now

March 12th, 2010 6:13am

I am seeing this error also, and I have ensured the cert is in the Personal store, with the private key associated, and the service account has permission to read the key.

The strange thing is, I'm seeing this on only one of my two load balanced servers.

My environment:

2 Load balanced servers, both with FIM Service & Portal and Synchronization service installed. The sync service is running on server 2, and disabled on server 1. Service & Portal is running on both servers.

If I remove server 1 from the load balanced cluster, SSPR works as expected. When I add server 1 back to the cluster, I get the above error. I have checked the WMI and DCOM settings, and they are identical on both servers, and are configured as per the guidelines in "Intro to password reset".

Any ideas?

April 9th, 2010 7:48pm

>>I am seeing this error also, and I have ensured the cert is in the Personal store, with the private key associated, and the service account has permission to read the key.

check that on both nodes of the NLB?

Free Windows Admin Tool Kit Click here and download it now

April 9th, 2010 7:51pm

Yeah I've checked that on both nodes of the NLB; they are identical.

April 12th, 2010 11:36am

are u using a custom cert or a self-sign cert generated by the seup?

can u make sure same cert is in the Personal Store as well as the Trusted Root of the computer account (not the current logon user)?

Free Windows Admin Tool Kit Click here and download it now

April 12th, 2010 2:58pm

I am using a custom cert (generated by selfssl), because the self-sign cert generated by the setup is specific to the server (node) which the install is run against. The custom cert uses the load balanced server address.

The cert is in the Personal Store as well as the Trusted Root of the computer account.

However, I did notice that the default cert generated by the setup differs from my custom cert in that it's displayed Intended Purposes is <All>, as opposed to my self generated cert, which shows Intended purposes as "Server Authentication". Could this be the problem? If so, how does one change the intended purposes?

April 12th, 2010 4:04pm

can u check the cert under both Personal Store and Trusted Root Store has a private key attached (the icon with the "key" on top left indicates it has a private key associated with the cert)

for purpose, it's set when u generate the cert

Free Windows Admin Tool Kit Click here and download it now

April 12th, 2010 6:08pm

There is a private key attached to the cert in both locations.

April 12th, 2010 7:51pm

try to get a cert with ALL purposes?

Free Windows Admin Tool Kit Click here and download it now

April 13th, 2010 12:12am

Fixed it using instructions from another one of your threads: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f90bb6f0-6318-4085-9575-6175187c6ed7

Paraphrasing from that thread:

Download psexec from here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Open a command prompt as administrator
psexec.exe -s -d -i cmd.exe
In the new command prompt window that opens, type: mmc.exe
Add the Certificate snap-in -> Local machine -> Computer Account
Personal store -> Right click the Certificate -> All Tasks -> Manage Private Key
Add the FIMService account and give it read permission.

Thanks Anthony!

Proposed as answer by AnthonyHoMicrosoft employee Thursday, April 15, 2010 7:20 PM
Marked as answer by Markus VilcinskasMicrosoft employee, Owner Thursday, April 29, 2010 1:48 PM

April 15th, 2010 7:15pm

right.. i should have been clearer on what i meant by "the service account has permission to read the key"

Glad that you've found the fix

Free Windows Admin Tool Kit Click here and download it now

April 15th, 2010 7:19pm

I also used this to fix the same issue. Thanks!

June 29th, 2010 7:13pm

Thanks.

This link has helped in resolving the issue. We had to give permissions on "Manage Private Keys" to service accounts used for FIM service, FIM Password register and FIM password reset accounts on certificates installed on FIM Service servers and FIM SSPR server.

Free Windows Admin Tool Kit Click here and download it now

May 8th, 2015 3:10am

This topic is archived. No further replies will be accepted.