CryptographicException Error Connecting SharePoint 2007 and ADFS 2.0 Using Domain App Pool User with SharePoint

When attempting to connect ADFS 2.0 and SharePoint 2007 most of the documentation assumes you are using the NetworkService account to run the application pools for the SharePoint content web applications.  In a real world environment though a domain user is probably running the app pools.

Tech Specs:

SharePoint Version: 2007
ADFS Version: 2.0
Server OS: 2008R2

ADFS URL: https://lab-adfs.defenseready.local/
SharePoint 2007 URL: https://ext.defenseready.local/
SharePoint App Pool User: defenseready\spapppool

What Happens:

Users opens the browser and navigates to the site.

Enter user information and click Sign In

The user now is presented with the error that An unexpected error has occurred.

How to diagnose:

In order to diagnose we will need to update the web.config for the SharePoint site.

First find the CallStack attribute and set it to true
Secondly change the customErrors mode attribute to Off
Error:

When we repeat the steps earlier and try to access the site we can now see the full error.


SharePoint is reporting a CryptographicException

 How to Resolve:

In order to give the application pool the correct rights to load the certificates we need to update the application pool settings.   Specifically we need to update the Load User Profile setting to True.


 After you have updated this restart IIS and give it another try.

Comments

Post a Comment

Popular posts from this blog

Add User As Local Administrator On Domain Controller

I recently was settting up a new Microsoft SharePoint 2010 machine and had promoted the machine to a domain controller before creating my SharePoint admin accounts.  I needed to add several of my accounts to the local Administrators group.  Unfortunately after you promote a server to a domain controller you can no longer access the GUI for Local Users and Groups.  Instead I had to use the command line to add the users. Open a command promt using the "Run as administrator" function and then run the following command. net localgroup Administrators /add {domain}\{user} Note: do not include the {} brackets.
Read more

Calling Dataverse Web API in PowerShell using Client Credentials

Image
Connecting to Dataverse using PowerShell can be very helpful for data migrations and use within Azure DevOps. Connecting to an instance in a non-interactive way can be tricky though. This article will provide you the links you need for creation and App registration and adding the app user to your environment. You can then utilize the script provided to call Web API requests including ones you define using the new Custom API functionality now available. The script was written so that it is not dependent on any outside libraries such as the Microsoft.Xrm.Tooling connector. This is helpful in situation where involving an outside library will slow down your deployment time by having to be approved in a change control board. If utilizing an outside code library is not a concern you can create a connection to Dataverse utilizing the Microsoft.Xrm.Tooling connector Get-CrmConnection cmdlet. Create App Registration The first thing to do is create an App Registration within Azure AD for ...
Read more

Windows Server 2008R2 VMs Shut Down After 1 to 2 Hours

Image
When created a lab environment to test ADFS 2.0 I utilized the Windows 2008R2 VM baselines distributed by Microsoft.  After a few days I was told that I had to activate.  The VMs included a 180 day license for use but I didn't feel like adding another network adapter into Hyper-V to connect them to the internet.  I started having issues though where the servers would shut down every hour or so.  I though that maybe there was a memory issue and Hyper-V was shutting them down in order to free up RAM.  Turns out that if Server 2008R2 is not activated it automatically shuts down after a period of time.  After connecting the server to the internet and activating them the problem went away. Finally the madness of the unknown shut downs has ended :)
Read more