We're using AAD B2C with custom policies for some time now, and everything worked as it should, but all of a sudden we started getting exceptions on sign-in policy. To make things worse, sometimes it does work but 4 out of 5 times we get an exception.
We managed to dig the error by linking policies to Application Insights, and here's what we got:
"Kind": "FatalException",
"Content": {
"Time": "9:05 PM",
"Exception": {
"Kind": "Handled",
"HResult": "80131509",
"Message": "IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.\nKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.\nException:'System.Security.Cryptography.CryptographicException: Invalid provider type specified.\r\n\r\n at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.\nIf you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available.",
"Data": {},
"Exception": {
"Kind": "Handled",
"HResult": "80090014",
"Message": "Invalid provider type specified.\r\n",
"Data": {}
}
}
}
I'm not sure what has changed or how suddenly this started happening. It doesn't matter if we use incognito mode or not.
Also, no outages reported on Microsoft's end.
Any clues will be highly appreciated!
Solved with information found here: StackOverflow question
Since we were also using Invite Flow, I used the New-SelfSignedCertificate command noted there.
Now I have regenerated the certificate by using information from this Microsoft doc and appending Provider parameter from that StackOverflow thread above:
PS C:\WINDOWS\system32> New-SelfSignedCertificate `
>> -KeyExportPolicy Exportable `
>> -Subject "CN=***.onmicrosoft.com" `
>> -KeyAlgorithm RSA `
>> -KeyLength 2048 `
>> -KeyUsage DigitalSignature `
>> -NotAfter (Get-Date).AddMonths(24) `
>> -CertStoreLocation "Cert:\CurrentUser\My" `
>> -Provider "microsoft enhanced rsa and aes cryptographic provider"
Although I'm not sure why this suddenly stopped working out of nowhere, I guess it could be that Microsoft updated something on their end.
Anyways, it seems it works now, so we'll see.
Related
I'm still new in Azure.
Today, I try to create an azure function instance
but, everytime I try to create one I get a Bad Request Error
{
"status": "Failed",
"error": {
"code": "BadRequest",
"message": "Cannot update the site '{project-name}' because it uses x64 worker process which is not allowed in the target compute mode.",
"details": [
{
"message": "Cannot update the site '{project-name}' because it uses x64 worker process which is not allowed in the target compute mode."
},
{
"code": "BadRequest"
},
{}
]
}
}
I have no idea what it does mean. So, can you give me an Idea what's wrong? and How I supposed to do to fix it?.
The Free/Shared tiers only support 32-bit application architecture. You'll need Basic or higher to use 64-bit.
I am creating a pipeline that only runs a simple "wait ", just for testing, because I am trying to understand why my others pipeline are returning errors (the same error).
When I try to debug, it sends the following error:
{
"code": "BadRequest",
"message": "Operation could not be completed as factory is deleted",
"target": "pipeline/Teste_ParaApagar/runid/f0e412a9-21a2-4d0f-ab28-c0287a484326",
"details": null,
"error": null
}
I searched everywhere, I canĀ“t find answer. Can you please help?
I think this is not a common error.
According to the policy, I think you should check your account to see if your ADF was disabled.
I am stumped on this error and need some insight/assistance in solving it.
I had a wildcard SSL cert issued by GoDaddy that expired and I removed and replaced the renewed cert on all SharePoint servers -
* in IIS;
* in Cert:\LocalMachine\Sharepoint;
* in SharePoint SPTrustedRootAuthority
* STS
... but I still get the following error:
Server Error in '/' Application.
NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.IdentityModel.Tokens.SecurityTokenValidationException: NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityTokenValidationException: NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
]
Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +556
Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +362
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +451
[SecurityTokenValidationException: ID4257: X.509 certificate 'CN=*.abcd.com, OU=Domain Control Validated' validation failed by the token handler.]
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1557
Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +127
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.GetPrincipalFromToken(SecurityToken securityToken) +247
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.AuthenticateUser(SecurityToken securityToken) +11
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.SetPrincipalAndWriteSessionTokenWithOptions(SecurityToken securityToken, SPSessionTokenWriteType writeOperationType) +293
Microsoft.SharePoint.IdentityModel.<>c__DisplayClass5.b__1() +240
Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) +194
Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule.PerformClaimsAuthenticationForUser(HttpContext context, SPFederationAuthenticationModule fam, SessionAuthenticationModule sam, WindowsIdentity windowsIdentity, SessionSecurityToken sessionSecurityToken, Boolean writeCookie) +362
Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule.AuthenticateRequest(Object sender, EventArgs e) +822
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +229
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +91
Does anyone know how to resolve this?
It appears the SSL cert was also used for the Security Signing Service (STS) as well, So I used the PowerShell below and it worked:
Get-SPSecurityTokenServiceConfig
$path = 'C:\Certs\wildcard_abcd_com.pfx'
$pass = 'P#$$W0rd'
Import-PfxCertificate -FilePath $path -CertStoreLocation Cert:\LocalMachine\Root Password $pass.Password
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2($path, $pass, 20)
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $cert
iisreset /restart
Restart-Service SPTimerV4
I hope this saves someone a few hours.
Cheers,
~G
I'm trying to create a Service catalog managed application definition and get the following error :{
"error": {
"code": "InternalServerError",
"message": "Encountered an internal server error. The tracking id is '5d5bf382-f101-48d7-bd89-72c72536a4a9'."
}
}
Is there anyway to find out what causes this? I did come across before. And believe it might be something to do with the template. I've tested the following using visual studio and the deployments works correctly. Just uploading the app.zip with the templates causes this error.
You can either look at the Azure Portal and go to Event Monitor and find error records and discern from the text there what went wrong or use Get-AzureRmLog -CorrelationId GUID_goes_here and look from there.
My client wants the SharePoint web application to be authenticated using SiteMinder Claims based STS Web Service agent. When the web app started and authentication provider is selected web app will redirect to a login page and over the correct credentials it should redirect back to the site.
What is happening is over the correct credentials the SharePoint web application returns with the following error:
Any clue what might be the reason? I am happy to assist if additional information is required.
NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Exception Details:
System.IdentityModel.Tokens.SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified.
1048576: Unknown error.]
Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +181
Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +260
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +520
[SecurityTokenValidationException: ID4257: X.509 certificate 'E=user#domain.com, CN=certName, OU=WHQ, O=CSC, L=Chantilly, S=Virigina, C=US' validation failed by the token handler.]
Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1358733
Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099702
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
Solution Time!
Special Thanks for #gtrig for tipping me off the real issue behind the error.
Why the Error
The error cause as a result of a Microsoft security patch (KB2661254) adding a restriction to certificate validation. This patch requires the certificate RSA key to be greater than or equal to 1024bits. The given siteminder.cer contains a 512bits RSA key. The following link would explain the issue in detail.
http://blogs.technet.com/b/rmilne/archive/2012/09/03/important-upcoming-certificate-changes.aspx
The solution in detail is here. http://support.microsoft.com/kb/2661254
But for me only adding the following regedit key did the trick.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
minRSAPubKeyBitLength : Decimal 512
To apply this registry modification open command prompt (Make sure the user has admin privileges, else start command prompt Administrator mode) and execute
certutil -setreg chain\minRSAPubKeyBitLength 512
However I would recommend reading through the entire solution from the above link in depth to find unique solution.
Important: This is not recommended approach in a client environment as this may possibly compromise the security of the server environment.
Recommended solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended)