I am running into the following error when attempting to parse my token:
Property name: 'certificateReference'
Error: 'ID1025: Cannot find a unique certificate that matches the criteria.
StoreName: 'My'
StoreLocation: 'LocalMachine'
X509FindType: 'FindByThumbprint'
FindValue: '41a8a59e537d4a00a8c4fa8dc2522388dbd13d27'
The section in my web.config is:
<serviceCertificate>`
<certificateReference x509FindType="FindByThumbprint" findValue="41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
I have confimed the certificate exists in IIS, MMC and Internet Explorer and have tried changing the Find type to subject with no avail. I have also tried the thumbprint to be upper case, lower case, with spaces and without spaces. I have also confirmed the certificate exists LocalMachine\My with the following results:
Matching certificate:
CN=kelly-pc
Additional accounts and groups with acces to the private key include:
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
KELLY-PC\Kelly
BUILTIN\IIS_IUSRS
I had exactly the same problem. By copying my web.config section in Notepad++(not notepad) I saw an invisible character:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="?e36df2f3e351a25adf8ffb6ad3619f10238f0317" />
</serviceCertificate>
Delete this character and it should work.
Without Notepad++ you can just press backspace in front of the thumbprint value(trying to delete the " char.
First of all the "issuedTokenAuthentication" advice from Oleg did not work for me since my application is an asp.net MVC. I assume that this element is not supported in asp.net MVC application, but it might be supported in WCF service config.
After many hours of battling with this error on localhost and other errors such as ID1024 I had to undo some stuff I had done by following advice like giving Everyone read to all the files inside %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys as per this blog (I granted read on the whole MachineKeys folder which was not a good Idea!). By doing this all granting to private keys stopped working via MMC console!
my solution was to create a new self signed certificate as per the instructions from here
Then I did a fresh import of the newly created certificate to the correct store and gave the user that runs the web applications read rights to the private key. My problem was with the certificate I was using before which was self signed, it must have been something wrong with it..
This section was definitely required on the client side:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
When dealing with certificates this is also a very good advice to keep in mind:
IF YOU FIRST IMPORT THE CERTIFICATE INTO THE PERSONAL STORE FOR DEVELOPMENT, THEN IMPORT IT INTO THE MACHINE STORE FOR DEPLOYMENT, THE PRIVATE KEY WILL REMAIN IN THE PERSONAL STORE LOCATION SO NO SERVICE ACCOUNT CAN USE IT EVEN THOUGH THEY'VE BEEN GRANTED PERMISSION.
And finally the FindPrivateKey.exe tool came in very handy to locate the actual private key file and to help solve the problem, it can be downloaded from here, with good instructions here.
I noticed when deleting certificates via the MMC console I had to remove the private key file manually from
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
if deleting from localMachine store and from
C:\Users[Username]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2106337540-114255811-1274951907-65121
if deleting from CurrentUser store
It was an invisible character in front of the thumbprint for me too. The standard Microsoft instruction to get the thumbprint is to open the certificate properties, copy the string of hex-encoded bytes, and remove spaces in between. I guess this copy procedure adds some invisible characters to the beginning of the string. These characters also need to be removed or the thumbprints do not match. I knew something must be wrong with the thumbprint when I found I was able to load the certificate by its name.
Probably you use self-issued certificate and you should add also the line
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
inside <serviceCertificate>
which should use together with <certificateReference>
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With