GetAzureADAppOnlyAuthenticatedContext sometimes fails with error "Keyset does not exist"

%3CLINGO-SUB%20id%3D%22lingo-sub-1550591%22%20slang%3D%22en-US%22%3EGetAzureADAppOnlyAuthenticatedContext%20sometimes%20fails%20with%20error%20%22Keyset%20does%20not%20exist%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1550591%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20this%20version%20of%20the%20method%20to%20access%20SPO%20in%20App%20Only%20context%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fofficedevpnp.core.authenticationmanager.getazureadapponlyauthenticatedcontext%3Fview%3Dsharepointpnpcoreonline-2.18.1709.0%23OfficeDevPnP_Core_AuthenticationManager_GetAzureADAppOnlyAuthenticatedContext_System_String_System_String_System_String_System_Security_Cryptography_X509Certificates_X509Certificate2_OfficeDevPnP_Core_AzureEnvironment_%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGetAzureADAppOnlyAuthenticatedContext(String%2C%20String%2C%20String%2C%20X509Certificate2%2C%20AzureEnvironment)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThis%20works%20most%20of%20the%20times%20(80-90%20%25%20of%20calls%20succeed)%20but%20sometimes%20it%20fails%20with%20an%20error%20%22Keyset%20does%20not%20exist%22.%20Additional%20details%20below%3C%2FP%3E%0A%3CP%3EOur%20code%20is%20written%20in%20.Net%204.6%20and%20is%20running%20on%20Windows%20Server%202016%3C%2FP%3E%0A%3CP%3EHas%20anyone%20seen%20this%20before%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMessage%20-%20Type%20%3D%20System.Security.Cryptography.CryptographicException%3C%2FP%3E%0A%3CP%3EMessage%20%3D%20Keyset%20does%20not%20exist%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESource%20%3D%20mscorlib%3C%2FP%3E%0A%3CP%3ETargetSite%20%3D%20System.Security.Cryptography.SafeProvHandle%20CreateProvHandle(System.Security.Cryptography.CspParameters%2C%20Boolean)%3C%2FP%3E%0A%3CP%3EStackTrace%20%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.Utils.CreateProvHandle(CspParameters%20parameters%2C%20Boolean%20randomKeyContainer)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType%20keyType%2C%20CspParameters%20parameters%2C%20Boolean%20randomKeyContainer%2C%20Int32%20dwKeySize%2C%20SafeProvHandle%26amp%3B%20safeProvHandle%2C%20SafeKeyHandle%26amp%3B%20safeKeyHandle)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32%20dwKeySize%2C%20CspParameters%20parameters%2C%20Boolean%20useDefaultKeySize)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String%20algorithm%2C%20Boolean%20privateKey)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.CryptographyHelper.SignWithCertificate(String%20message%2C%20X509Certificate2%20certificate)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate.Sign(String%20message)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.JsonWebToken.Sign(IClientAssertionCertificate%20credential%2C%20Boolean%20sendX5C)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.ClientKey.AddToParameters(IDictionary%602%20parameters)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.%3CSENDTOKENREQUESTASYNC%3Ed__69.MoveNext()%3C%2FSENDTOKENREQUESTASYNC%3E%3C%2FP%3E%0A%3CP%3E---%20End%20of%20stack%20trace%20from%20previous%20location%20where%20exception%20was%20thrown%20---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.%3CCHECKANDACQUIRETOKENUSINGBROKERASYNC%3Ed__59.MoveNext()%3C%2FCHECKANDACQUIRETOKENUSINGBROKERASYNC%3E%3C%2FP%3E%0A%3CP%3E---%20End%20of%20stack%20trace%20from%20previous%20location%20where%20exception%20was%20thrown%20---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.%3CRUNASYNC%3Ed__57.MoveNext()%3C%2FRUNASYNC%3E%3C%2FP%3E%0A%3CP%3E---%20End%20of%20stack%20trace%20from%20previous%20location%20where%20exception%20was%20thrown%20---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.%3CACQUIRETOKENFORCLIENTCOMMONASYNC%3Ed__33.MoveNext()%3C%2FACQUIRETOKENFORCLIENTCOMMONASYNC%3E%3C%2FP%3E%0A%3CP%3E---%20End%20of%20stack%20trace%20from%20previous%20location%20where%20exception%20was%20thrown%20---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.%3CACQUIRETOKENASYNC%3Ed__58.MoveNext()%3C%2FACQUIRETOKENASYNC%3E%3C%2FP%3E%0A%3CP%3E---%20End%20of%20stack%20trace%20from%20previous%20location%20where%20exception%20was%20thrown%20---%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task%20task)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20OfficeDevPnP.Core.AuthenticationManager.%26lt%3B%26gt%3Bc__DisplayClass46_0.%3CGETAZUREADAPPONLYAUTHENTICATEDCONTEXT%3Eb__0(Object%20sender%2C%20WebRequestEventArgs%20args)%3C%2FGETAZUREADAPPONLYAUTHENTICATEDCONTEXT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552524%22%20slang%3D%22en-US%22%3ERe%3A%20GetAzureADAppOnlyAuthenticatedContext%20sometimes%20fails%20with%20error%20%22Keyset%20does%20not%20exist%26amp%3Bqu%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552524%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4402%22%20target%3D%22_blank%22%3E%40Tomasz%20Janczak%3C%2FA%3EWe%20are%20encountering%20the%20exact%20same%20issue%20for%20a%20WebJob%20running%20from%20an%20Azure%20App%20Service.%3C%2FP%3E%3CP%3EWe%20are%20using%20an%20application%20built%20with%20.NET%20version%204.7.2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERerun%20of%20the%20WebJob%20often%20continues%20without%20error%2C%20but%20the%20scheduled%20job%20fails%20regularly.%3C%2FP%3E%3CP%3EWould%20appreciate%20an%20update%20if%20a%20solution%20is%20found.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1891641%22%20slang%3D%22en-US%22%3ERe%3A%20GetAzureADAppOnlyAuthenticatedContext%20sometimes%20fails%20with%20error%20%22Keyset%20does%20not%20exist%26amp%3Bam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1891641%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2260%22%20target%3D%22_blank%22%3E%40Jean-Marie%20Geeraerts%3C%2FA%3E%26nbsp%3BHi%20There%2C%20I%20am%20also%20facing%20the%20same%20issue%20intermittently%20on%20web%20jobs%20consuming%20SharePoint%20%2C%20did%20u%20happen%20to%20find%20a%20fix%20for%20this%20issue%20by%20any%20chance.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1892186%22%20slang%3D%22en-US%22%3ERe%3A%20GetAzureADAppOnlyAuthenticatedContext%20sometimes%20fails%20with%20error%20%22Keyset%20does%20not%20exist%26amp%3Bam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1892186%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F795880%22%20target%3D%22_blank%22%3E%40arpn_00%3C%2FA%3E%26nbsp%3Bunfortunately%20I%20didn't%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We use this version of the method to access SPO in App Only context GetAzureADAppOnlyAuthenticatedContext(String, String, String, X509Certificate2, AzureEnvironment)

This works most of the times (80-90 % of calls succeed) but sometimes it fails with an error "Keyset does not exist". Additional details below

Our code is written in .Net 4.6 and is running on Windows Server 2016

Has anyone seen this before?

 

Message - Type = System.Security.Cryptography.CryptographicException

Message = Keyset does not exist

 

Source = mscorlib

TargetSite = System.Security.Cryptography.SafeProvHandle CreateProvHandle(System.Security.Cryptography.CspParameters, Boolean)

StackTrace =    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()

   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.CryptographyHelper.SignWithCertificate(String message, X509Certificate2 certificate)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate.Sign(String message)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.JsonWebToken.Sign(IClientAssertionCertificate credential, Boolean sendX5C)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.ClientKey.AddToParameters(IDictionary`2 parameters)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__69.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenForClientCommonAsync>d__33.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__58.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at OfficeDevPnP.Core.AuthenticationManager.<>c__DisplayClass46_0.<GetAzureADAppOnlyAuthenticatedContext>b__0(Object sender, WebRequestEventArgs args)

 

3 Replies

@Tomasz JanczakWe are encountering the exact same issue for a WebJob running from an Azure App Service.

We are using an application built with .NET version 4.7.2

 

Rerun of the WebJob often continues without error, but the scheduled job fails regularly.

Would appreciate an update if a solution is found.

@Jean-Marie Geeraerts Hi There, I am also facing the same issue intermittently on web jobs consuming SharePoint , did u happen to find a fix for this issue by any chance.