By using of CardSpace in the Web application scenario, the ASP.NET application is required to decrypt the stream sent by browser.
In other words, when the user is required to select the card, the card information is encrypted (with server's public key / note that in this scenario SSL is always required) and sent to the server (your ASP.NET application).
For extracting (decryption) of the card content, there is a class called TokenProcessor. This class by the way decrypts the stream by using of the server's private key.
However, sometimes it can happen that the decryption process in the method decryptToken fails with following error: "Keyset not found".
Depending on the security account, which hosts the application pool of your web application, it is to expect that this account has no permission to read the private key data.
Because the application pool account is usually NETWORK_SERVICE it is sure that this account has no permission to read the private key data.
If you are running Windows Vista, this problem can be solved by using of certificates MMC snap-in. Select the certificate which contains server's private key|right mouse click|All Tasks and choose Manage Private Keys menu item. Add the target account (i.e.: NETWORK_SERVICE) in the dialog.
In order to set same ACL's within Windows XP use Windows SDK tools findprivatekey.exe and cacls.exe.
Jun 19 2007, 09:52 AM