“Keyset not found” error

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

By using of CardSpace in the Web application scenario, the ASP.NET application is required to decrypt the stream sent by browser.
In other words, when the user is required to select the card, the card information is encrypted (with server's public key / note that in this scenario SSL is always required) and sent to the server (your ASP.NET application).
For extracting (decryption) of the card content, there is a class called TokenProcessor. This class by the way decrypts the stream by using of the server's private key.
However, sometimes it can happen that the decryption process in the method decryptToken fails with following error: "Keyset not found".
Depending on the security account, which hosts the application pool of your web application, it is to expect that this account has no permission to read the private key data.
Because the application pool account is usually NETWORK_SERVICE it is sure that this account has no permission to read the private key data.

If you are running Windows Vista, this problem can be solved by using of certificates MMC snap-in. Select the certificate which contains server's private key|right mouse click|All Tasks and choose Manage Private Keys menu item. Add the target account (i.e.: NETWORK_SERVICE) in the dialog.

In order to set same ACL's within Windows XP use Windows SDK tools findprivatekey.exe and cacls.exe.

That's all.


Posted Jun 19 2007, 09:52 AM by Damir Dobric
Filed under:

Comments

dominick wrote re: “Keyset not found” error
on 06-19-2007 11:15

That's all?! Excellent.

But be aware that your main app has now read access to the "crown jewels"...

I discussed this here:

www.leastprivilege.com/CardSpaceAndDecryptingTokens.aspx

And have a solution for production environments here:

www.leastprivilege.com/TokenDecryptionServiceForCardSpace.aspx

Mostly Mr SQL » Blog Archive » GRRRR! Cardspace. What useless steaming pile... wrote Mostly Mr SQL » Blog Archive » GRRRR! Cardspace. What useless steaming pile...
on 06-28-2007 3:00

Pingback from  Mostly Mr SQL  » Blog Archive   » GRRRR! Cardspace. What useless steaming pile...

Kim Cameron’s Identity Weblog » Including the whole spectrum of use cases wrote Kim Cameron’s Identity Weblog » Including the whole spectrum of use cases
on 06-30-2007 23:03

Pingback from  Kim Cameron’s Identity Weblog » Including the whole spectrum of use cases

SomeOCSGuy wrote re: “Keyset not found” error
on 04-30-2010 16:16

You are my personal hero.  I was getting a "keyset does not exist" error while trying to start services for an OCS Access Edge server.  I knew the problem was related to permissions on certificates as it worked when I added the service account to the local Administrators but I shouldn't need to do that as another server worked without that level of access.  After browsing several posts related to OCS to no avail, I ran across your post which obviously has nothing to do with OCS but the same resolution corrected my problem as when I exported the cert from the first server and imported to the second, the permissions on it became all jacked up.  I just couldn't figure out where to manage the permissions on certs.  it was a real "duh" moment for me.  Did I mention how much I hate certificates??  Haha.  Thanks dude!

developers.de is a .Net Community Blog powered by daenet GmbH.