22

I am running into the following error when attempting to parse my token:

Property name: 'certificateReference'
Error: 'ID1025: Cannot find a unique certificate that matches the criteria.
StoreName: 'My'
StoreLocation: 'LocalMachine'
X509FindType: 'FindByThumbprint'
FindValue: '‎41a8a59e537d4a00a8c4fa8dc2522388dbd13d27'

The section in my web.config is:

<serviceCertificate>`
    <certificateReference x509FindType="FindByThumbprint" findValue="‎41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

I have confimed the certificate exists in IIS, MMC and Internet Explorer and have tried changing the Find type to subject with no avail. I have also tried the thumbprint to be upper case, lower case, with spaces and without spaces. I have also confirmed the certificate exists LocalMachine\My with the following results:

Matching certificate:
CN=kelly-pc

Additional accounts and groups with acces to the private key include:

NT AUTHORITY\SYSTEM
BUILTIN\Administrators
KELLY-PC\Kelly
BUILTIN\IIS_IUSRS
koopajah
  • 23,792
  • 9
  • 78
  • 104
Kjaneb
  • 231
  • 1
  • 2
  • 5

6 Answers6

24

I had exactly the same problem. By copying my web.config section in Notepad++(not notepad) I saw an invisible character:

<serviceCertificate>
        <certificateReference  x509FindType="FindByThumbprint" findValue="?e36df2f3e351a25adf8ffb6ad3619f10238f0317" />
</serviceCertificate>

Delete this character and it should work.

Without Notepad++ you can just press backspace in front of the thumbprint value(trying to delete the " char.

Guish
  • 4,968
  • 1
  • 37
  • 39
  • Best way is to view the file in a HexEditor like HxD. I was using Notepad++ and it didn't show any "invisible" characters. HxD did... Problem comes from when copy/paste from the certificate in IIS. Better type it in than copying it. – Mikael Holmgren Jan 29 '14 at 13:30
  • 6
    Using Notepad++ I didn't see the extra characters until I changed the encoding from UTF-8 to ANSI – BozoJoe May 27 '14 at 20:11
  • 1
    the backspace trick did it for me. in my case, i had to press backspace until i could delete the " – sawe May 23 '15 at 18:12
8

First of all the "issuedTokenAuthentication" advice from Oleg did not work for me since my application is an asp.net MVC. I assume that this element is not supported in asp.net MVC application, but it might be supported in WCF service config.

After many hours of battling with this error on localhost and other errors such as ID1024 I had to undo some stuff I had done by following advice like giving Everyone read to all the files inside %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys as per this blog (I granted read on the whole MachineKeys folder which was not a good Idea!). By doing this all granting to private keys stopped working via MMC console!

my solution was to create a new self signed certificate as per the instructions from here

Then I did a fresh import of the newly created certificate to the correct store and gave the user that runs the web applications read rights to the private key. My problem was with the certificate I was using before which was self signed, it must have been something wrong with it..

This section was definitely required on the client side:

<serviceCertificate>
   <certificateReference x509FindType="FindByThumbprint" findValue="‎41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

When dealing with certificates this is also a very good advice to keep in mind:

IF YOU FIRST IMPORT THE CERTIFICATE INTO THE PERSONAL STORE FOR DEVELOPMENT, THEN IMPORT IT INTO THE MACHINE STORE FOR DEPLOYMENT, THE PRIVATE KEY WILL REMAIN IN THE PERSONAL STORE LOCATION SO NO SERVICE ACCOUNT CAN USE IT EVEN THOUGH THEY'VE BEEN GRANTED PERMISSION.

And finally the FindPrivateKey.exe tool came in very handy to locate the actual private key file and to help solve the problem, it can be downloaded from here, with good instructions here.

I noticed when deleting certificates via the MMC console I had to remove the private key file manually from

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

if deleting from localMachine store and from

C:\Users[Username]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2106337540-114255811-1274951907-65121

if deleting from CurrentUser store

Bjarki B
  • 709
  • 7
  • 11
  • this was helpful, using the FindPrivateKey.exe tool with a -t "thumbprint" to find the file, and then issue rights to "Local Service" account to that file. Since that was the user, my app pool was running under! – ScottCate Nov 24 '13 at 02:44
  • This has saved me hours of troubleshooting. Thanks you! I was using IISExpress, so had to add ($machinename\IIS_IUSRS) to the ACL for the file once I was able to find it using the FindPrivateKey application. – wislon Jan 22 '14 at 00:12
3

It was an invisible character in front of the thumbprint for me too. The standard Microsoft instruction to get the thumbprint is to open the certificate properties, copy the string of hex-encoded bytes, and remove spaces in between. I guess this copy procedure adds some invisible characters to the beginning of the string. These characters also need to be removed or the thumbprints do not match. I knew something must be wrong with the thumbprint when I found I was able to load the certificate by its name.

Andrzej Turski
  • 626
  • 4
  • 5
0

So this error was showing up on my screen this morning. I'm using a development machine, so I was using a self-signed (IIS) certificate. After installing Visual Studio 2015 RC, IIS was upgraded as well. Turns out that broke the chain trust, because the root certificate was either removed or invalid (IIS Express .

Probably an obvious thing to do, but make sure the selected certificate is still valid, including every hop in the chain.

Caramiriel
  • 7,029
  • 3
  • 30
  • 50
0

Probably you use self-issued certificate and you should add also the line

<issuedTokenAuthentication allowUntrustedRsaIssuers="true" />

inside <serviceCertificate> which should use together with <certificateReference>.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • I had added the certificate into the trusted providers section and it still was not found. In any case I created another simple solution with new self-issued certificates and the the project worked! – Kjaneb Jul 16 '10 at 01:19
  • 5
    And this solution was? How about helping out the community when you can.... /grumble – VulgarBinary Apr 04 '11 at 20:29
  • Is it just me, or is this not very clear at all? Can you please post a larger XML fragment that better shows this? – Bryan Jul 20 '12 at 16:20
  • @Bryan: I can't reproduce the problem which Kjaneb who asked the question. I supposed only the reason. You can see some more examples [here](http://www.codeproject.com/Articles/25677/Simple-WCF-X509-Certificate). Another reason could be the permission on the key container (see [here](http://stackoverflow.com/a/5015651/315935) for example). One should just have more full information about the problem to be able really solve it. If you have the same problem you should describe it in details. Moreover the answer was written two years ago. I was less the 3 months the member on the stackoverflow. – Oleg Jul 20 '12 at 20:46
0

On one particular server I had to add it to Trusted Root Certification Authorities store as well in addition to Personal for the code to recognize it.

On my local box and other servers it worked just fine in the Personal store only.

gbs
  • 7,196
  • 5
  • 43
  • 69