web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM 2015 IFD Error: Pr...
Microsoft Dynamics CRM (Archived)

CRM 2015 IFD Error: Private key does not support the exchange KeySpec

(0) ShareShare
ReportReport
Posted on by Art Karp

I have set up a CRM demo network with the following Windows 2012 R2 servers:

1. Domain Controller with ADFS

2. SQL 2012

3. CRM 2015 (all CRM server roles)

2. WAP

CRM tested fine before configuring for IFD

I have installed a public wildcard certificate (*.demo.domain.com) on the DC, CRM, and WAP servers and added the CRM App user full rights on the private key.   The WAP server shows everything is working.

When trying to connect to an org, the following error below is displayed by CRM after logging in as administrator.

I have searched the web and read every IFD set up paper and note found.  However, so far I have not come across this error.

Anyone have a clue how to fix it?  Or where to check?

Thanks

(Note I have changed the real domain name shown here to "domain.com" for security)

Microsoft CRM Error Report:
Error Description:
The private key does not support the exchange KeySpec.

Error Details: 
Not available

Full Stack: 
[NotSupportedException: The private key does not support the exchange KeySpec.]
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData)

   at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)

   at Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

   at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Other Message:

Error Number:

Source File:
Not available

Line Number:
Not available

Error Trace:

Date: 02-26-2015

Time: 19:36:52

Server: authtyler.demo.eventix.com
Request URL:
https://auth.demo.domain.com/default.aspx

*This post is locked for comments

I have the same question (0)
  • Art Karp Profile Picture
    Art Karp on at

    One other note...

    On the WAP server the Auth, Dev and Org URLs have DisableTranslateUrlInResponseHeaders set to True.  

    Here are all the options as set for the above URLs:

    ADFSRelyingPartyID                           :

    ADFSRelyingPartyName                         :

    BackendServerAuthenticationMode              : NoAuthentication

    BackendServerAuthenticationSPN               :

    BackendServerCertificateValidation           : None

    BackendServerUrl                             : blankorg2015.demo.domain.com

    ClientCertificateAuthenticationBindingMode   : None

    ClientCertificatePreauthenticationThumbprint :

    DisableHttpOnlyCookieProtection              : False

    DisableTranslateUrlInRequestHeaders          : False

    DisableTranslateUrlInResponseHeaders         : True

    ExternalCertificateThumbprint                : EB0549E06ACBA2D3BE589AC0A7FBDD0FB2C8529A

    ExternalPreauthentication                    : PassThrough

    ExternalUrl                                  : blankorg2015.demo.domain.com

    ID                                           : ae0b9d0c-e1db-d5eb-61ec-12517d5f2c26

    InactiveTransactionsTimeoutSec               : 300

    Name                                         : blankOrg2015.demo.domain.com

    UseOAuthAuthentication                       : False

    PSComputerName                               :

    On the URL for sts.demo.domain, DisableTranslateUrlInResponseHeaders is set to False

    Also, On the ASDF Server there is an error:

    ---------------------------------------------------

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    wsfed

    Relying Party:

    https://auth.demo.domain.com/

    Exception details:

    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details.

      at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)

      at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)

      at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

      at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  • Suggested answer
    AAToledano Profile Picture
    AAToledano 92 on at

    If you use a self signed cert, when the wildcard cert is generated, use -sky echange.

    makecert -pe -sky exchange.....

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans