I have a web application, which is using X509 certificate to encrypt and decrypt data. I have host this application on two identical window server 2008 R2. Out of two server application is working fine on one server(Lets call it Server1) and for another server(Lets call it Server2) I am getting following error -
Message :Keyset does not exist Error Type :System.Security.Cryptography.CryptographicException Source :mscorlib Stack trace : Server stack trace: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle&. safeProvHandle, SafeKeyHandle&. safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens, Boolean isPrimarySignature) at System.ServiceModel.Security.SendSecurityHeader.CompleteSignature() at System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication() at System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer) at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota) at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset) at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message, Boolean shouldRecycleBuffer) at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&. msgData, Int32 type)
I have verified all the setting available on Server1 and Server2, like certificate, machine key and other rights, both are same.
IIS 7.5 on Windows Server 2008 R2
For both server, a new Application pool was created, application pool identity has been changed from "ApplicationPoolIdentity" to Specific User . Specific user has Administrative rights on server.
When I have checked W3wp.exe process in task manager, its running under default Application pool(but for both server).
Certificate Store - The current certificate I wish to use for encrypt/decrypt functions is stored in "StoreName.My, StoreLocation.LocalMachine" or viewed through the front-end as Local Computer / Personal. The certificate is a valid cert issued by VeriSign. It is not restricted to a certificate use in the properties. LocalSystem/SYSTEM has full control access to the private key, I was able to confirm this by right clicking on the certificate in the MSC and going to all tasks --> manage private keys.
Everyone(including IUSR, Specific user) has full control access over it's Machinekey folder under the RSA folder, C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, so it should be able to create keysets.