{"id":8565,"date":"2025-02-04T23:50:16","date_gmt":"2025-02-04T23:50:16","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8565"},"modified":"2025-11-05T08:00:26","modified_gmt":"2025-11-05T08:00:26","slug":"dynamics-365-9-0-on-premise-ifd-configuration-error-invalid-provider-type-specified-how-to-check-the-keyspec-cng-capi-value-for-your-certificates-keys","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/dynamics-365-9-0-on-premise-ifd-configuration-error-invalid-provider-type-specified-how-to-check-the-keyspec-cng-capi-value-for-your-certificates-keys","title":{"rendered":"Dynamics 365 9.0 on-premise IFD configuration: Error Invalid provider type specified – How to check the KeySpec CNG \\ CAPI value for your certificates \/ keys"},"content":{"rendered":"\n
<?xml version=\"1.0\"?>\n \n-<error xmlns:xsi=\"www.w3.org\/...\/XMLSchema-instance\" xmlns:xsd=\"www.w3.org\/...\/XMLSchema\">\n \n<exception>Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #52B75F04Detail: <OrganizationServiceFault xmlns:i=\"www.w3.org\/...\/XMLSchema-instance\" xmlns=\"schemas.microsoft.com\/...\/Contracts\"> <ActivityId>d096958b-7e1b-4d58-a0d0-cf1724fe05a4<\/ActivityId> <ErrorCode>-2147220970<\/ErrorCode> <ErrorDetails xmlns:d2p1=\"schemas.datacontract.org\/...\/System.Collections.Generic\" \/> <Message>System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle&amp; safeProvHandle, SafeKeyHandle&amp; safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #52B75F04<\/Message> <Timestamp>2019-03-22T06:30:25.9316984Z<\/Timestamp> <ExceptionRetriable>false<\/ExceptionRetriable> <ExceptionSource i:nil=\"true\" \/> <InnerFault i:nil=\"true\" \/> <OriginalException i:nil=\"true\" \/> <TraceText i:nil=\"true\" \/> <\/OrganizationServiceFault> <\/exception>\n \n<parameters xsi:nil=\"true\"\/>\n \n<displaytitle\/>\n \n<displaytextencoded\/>\n \n<displaytext\/>\n \n<description>Invalid provider type specified. <\/description>\n \n<file>Not available<\/file>\n \n<line>Not available<\/line>\n \n<details>Not available<\/details>\n \n<traceInfo\/>\n \n<requesturl>internalcrm.kcenter.com\/...\/FederationMetadata.ashx&lt;\/requesturl>\n \n<pathAndQuery>\/Handlers\/FederationMetadata.ashx<\/pathAndQuery>\n \n<source>ASHX_XML<\/source>\n \n<stacktrace\/>\n \n<\/error><\/code><\/pre>\n\n\n\n
We had added private key permissions — which is the usual issue with SSLs and CRM — so that was not the problem.<\/p>\n\n\n\n
The reason is that the commercial SSL issued was not of type CAPI, we had unknowingly been issued a CNG (Certificate Next Generation).<\/p>\n\n\n\n
KeySpec values and associated meanings<\/a><\/h2>\n\n\n\n
The following are the meanings of the various KeySpec values:<\/p>\n\n\n\n
Keyspec value<\/th>Means<\/th>Recommended AD FS use<\/th><\/tr><\/thead>
0<\/code><\/td>The certificate is a CNG (Certificate Next Generation) cert<\/td>SSL certificate only<\/td><\/tr>
1<\/code><\/td>For a legacy CAPI (non-CNG) cert, the key can be used for signing and decryption<\/td>SSL, token signing, token decrypting, service communication certificates<\/td><\/tr>
2<\/code><\/td>For a legacy CAPI (non-CNG) cert, the key can be used only for signing<\/td>not recommended<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
How to check the KeySpec value for your certificates \/ keys<\/h2>\n\n\n\n
<\/a><\/p>\n\n\n\n
To see a certificate’s value you can use the certutil<\/code> command line tool.<\/p>\n\n\n\n
The following is an example: certutil \u2013v \u2013store my<\/code> {THUMBPRINT] This command dumps the certificate information to the screen.<\/p>\n\n\n\n
\"Keyspec<\/a><\/figure>\n\n\n\n
How to change the keyspec for your certificate to a supported value<\/a><\/h2>\n\n\n\n
Changing the KeySpec value doesn’t require the certificate to be regenerated or reissued. The KeySpec can be changed by reimporting the complete certificate and private key from a PFX file into the certificate store using the following steps.<\/p>\n\n\n\n
    \n
  1. Check and record the private key permissions on the existing certificate so that they can be reconfigured if necessary after the reimport.<\/li>\n\n\n\n
  2. Export the certificate including private key to a PFX file.<\/li>\n\n\n\n
  3. Perform the following steps for each AD FS and WAP server.\n
      \n
    1. Delete the certificate (from the AD FS \/ WAP server).<\/li>\n\n\n\n
    2. Open an elevated PowerShell command prompt.<\/li>\n\n\n\n
    3. Import the PFX file on each AD FS and WAP server using the following syntax, specifying the AT_KEYEXCHANGE<\/code> value (which works for all AD FS certificate purposes):\n
        \n
      1. certutil \u2013importpfx certfile.pfx AT_KEYEXCHANGE<\/code>\n