Unable to browse to the CRM FederationMetadata endpoint after configuring Claims-based auth RRS feed

  • General discussion

  • This has been resolved, but I wanted to throw it out here in case anyone runs across the same issue. A client had a new installation of CRM 2011 (Rollup 8) in a 'test' environment using self-signed certificates. Browsing to the <a href="https:///FederationMetadata/2007-06/FederationMetadata.xml">https://<crm_url>/FederationMetadata/2007-06/FederationMetadata.xml resulted in an error message "Invalid provider type specified."  The trace detail is appended at the end of this post. Since that URL did not work, we could not finish configuring Claims-based access from within ADFS.

    Long story short, the issue was that the self-signed certificate was generated using Windows 2008 CA using the 2008 (v3) template, instead of the 2003 (v2) template, and after re-generating a self-signed certificate using the 2003 template, everything started working again.

    [2012-08-20 13:42:52.258] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   22 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 8947a20f-f821-4082-962f-e7f8421a5952 | ExceptionConverter.ConvertMessageAndErrorCode
    >System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #287B825A: System.Security.Cryptography.CryptographicException: Invalid provider type specified.
    >   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
    >   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
    >   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
    >   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
    >   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
    >   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)
    >   at Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(SecurityKey signingKey)
    >   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.ComputeSignature()
    >   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.OnEndRootElement()
    >   at Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor)
    >   at Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata)
    >   at Microsoft.Crm.Authentication.Claims.MetadataGenerator.CreateFederationMetadata(Uri relyingPartyPassiveIdentifier, String certificateName, Stream stream)
    >   at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream)
    >   at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context)
    >   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    >   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    • Edited by Ken Heiman Monday, August 20, 2012 9:57 PM
    Monday, August 20, 2012 9:54 PM

All replies

  • Hi

    Was this problem solved?
    I also have the same trouble.

    Sunday, February 2, 2014 11:28 AM
  • Hi Ken,

    I hope you 're still reading this thread. I have CRM 2013 driving me nuts. I recieve a 500 internal server error, also indicating invalid prodiver type specified. However, I have an old style certificate (non v3) and still recieve this error.

    Where did you fiomnd this stack trace?

    BR, Ronald

    Wednesday, May 27, 2015 9:42 AM
  • I know this reply is quite a time after the question was posted, but I've seen this in CRM 2016 as well.  In short, I had to export out the Certificate with the private key from the CRM Server and then re-import the certificate with the private key.  You may also have to use the information in https://blogs.msdn.microsoft.com/dsnotes/2015/08/13/service-failure-with-cryptographicexception-keyset-does-not-exist/ to troubleshoot permissions to the file that corresponds with this certificate as well. 

    Chad Rexin

    Chad Rexin

    Thursday, September 22, 2016 8:37 PM