Dynamics 365 9.0 on-premise IFD configuration: Error Invalid provider type specified – How to check the KeySpec CNG \ CAPI value for your certificates / keys

<?xml version="1.0"?>
 
-<error xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema">
 
<exception>Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #52B75F04Detail: <OrganizationServiceFault xmlns:i="www.w3.org/.../XMLSchema-instance" xmlns="schemas.microsoft.com/.../Contracts"> <ActivityId>d096958b-7e1b-4d58-a0d0-cf1724fe05a4</ActivityId> <ErrorCode>-2147220970</ErrorCode> <ErrorDetails xmlns:d2p1="schemas.datacontract.org/.../System.Collections.Generic" /> <Message>System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle&amp; safeProvHandle, SafeKeyHandle&amp; safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #52B75F04</Message> <Timestamp>2019-03-22T06:30:25.9316984Z</Timestamp> <ExceptionRetriable>false</ExceptionRetriable> <ExceptionSource i:nil="true" /> <InnerFault i:nil="true" /> <OriginalException i:nil="true" /> <TraceText i:nil="true" /> </OrganizationServiceFault> </exception>
 
<parameters xsi:nil="true"/>
 
<displaytitle/>
 
<displaytextencoded/>
 
<displaytext/>
 
<description>Invalid provider type specified. </description>
 
<file>Not available</file>
 
<line>Not available</line>
 
<details>Not available</details>
 
<traceInfo/>
 
<requesturl>internalcrm.kcenter.com/.../FederationMetadata.ashx&lt;/requesturl>
 
<pathAndQuery>/Handlers/FederationMetadata.ashx</pathAndQuery>
 
<source>ASHX_XML</source>
 
<stacktrace/>
 
</error>

We had added private key permissions — which is the usual issue with SSLs and CRM — so that was not the problem.

The reason is that the commercial SSL issued was not of type CAPI, we had unknowingly been issued a CNG (Certificate Next Generation).

KeySpec values and associated meanings

The following are the meanings of the various KeySpec values:

Keyspec valueMeansRecommended AD FS use
0The certificate is a CNG (Certificate Next Generation) certSSL certificate only
1For a legacy CAPI (non-CNG) cert, the key can be used for signing and decryptionSSL, token signing, token decrypting, service communication certificates
2For a legacy CAPI (non-CNG) cert, the key can be used only for signingnot recommended

How to check the KeySpec value for your certificates / keys

To see a certificate’s value you can use the certutil command line tool.

The following is an example: certutil –v –store my {THUMBPRINT] This command dumps the certificate information to the screen.

Keyspec cert

How to change the keyspec for your certificate to a supported value

Changing the KeySpec value doesn’t require the certificate to be regenerated or reissued. The KeySpec can be changed by reimporting the complete certificate and private key from a PFX file into the certificate store using the following steps.

  1. Check and record the private key permissions on the existing certificate so that they can be reconfigured if necessary after the reimport.
  2. Export the certificate including private key to a PFX file.
  3. Perform the following steps for each AD FS and WAP server.
    1. Delete the certificate (from the AD FS / WAP server).
    2. Open an elevated PowerShell command prompt.
    3. Import the PFX file on each AD FS and WAP server using the following syntax, specifying the AT_KEYEXCHANGE value (which works for all AD FS certificate purposes):
      1. certutil –importpfx certfile.pfx AT_KEYEXCHANGE
      2. Enter PFX password.
    4. After the above process completes, do the following:
      1. Check the private key permissions.
      2. Restart the AD FS or WAP service.
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely