"Invalid provider type specified." when using a high trust cert that was created with CNG in a Provider Hosted App

  • Article

The short solution:  When generating a cert to be used for high trust in a Provider Hosted application, choose "(no template) Legacy key", Microsoft RSA SChannel Cryptographic Provider.

The longer explanation: In my continuing journey with Provider Hosted applications, I've run into a new issue that is documented in other areas of Microsoft technology, but not SharePoint.  I requested an enterprise cert that we would use for S2S high trust, typically certs that are generated for web environments are generated using a web site template, on Microsoft platforms the website templates typically use CNG (Cryptographic Next Generation) and IIS supports them just fine.  High trust certs, unlike standard website SSL certs, are not imported into IIS and used to encrypt browser transactions, they are broken up into public and private key files (cer and pfx), the public key is used on the SharePoint server and the private key used on the remote web server.  The files together provide secure encryption for the remote web and the SharePoint server to talk.  We built our app in Visual Studio 2013 and the standard Provider Hosted Application template in Visual Studio comes with some great base code that handles all of the nitty gritty of using the private key to talk back to SharePoint.  After setting up the key files and attempting to navigate to one of our I pages I received the error below.  At the point where the TokenHelper class attempts to access the private key in the pfx file the error is thrown, the reason is that the crypto api does not support certs generated with CNG.  See the short solution above.

 

Server Error in '/' Application.

An internal error occurred.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: An internal error occurred.
Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

 [CryptographicException: An internal error occurred.]   System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +41   System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0   System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +307   System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) +84   Foo.Web.TokenHelper..cctor() in c:\Foo\FooWeb\TokenHelper.cs:674[TypeInitializationException: The type initializer for 'Foo.Web.TokenHelper' threw an exception.]   Foo.Web.TokenHelper.IsHighTrustApp() in c:\Foo\FooWeb\TokenHelper.cs:618   Foo.Web.SharePointContextProvider..cctor() in c:\Foo\FooWeb\SharePointContext.cs:307[TypeInitializationException: The type initializer for Foo.Web.SharePointContextProvider' threw an exception.]   Foo.Web.SharePointContextProvider.CheckRedirectionStatus(HttpContext httpContext, Uri& redirectUrl) in c:\Foo\FooWeb\SharePointContext.cs:410   Foo.Web.Default.Page_PreInit(Object sender, EventArgs e) in c:\Foo\FooWeb\Pages\Default.aspx.cs:15   System.Web.UI.Page.PerformPreInit() +49   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1844

 

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446