MIM WAL PowerShell Execution Certificate Error RRS feed

  • Question

  • Hi All,

    I am getting the following error while running PowerShell Command from MIM WAL. We have two MIM instances with MIM services running and loadbalancer in front. This commands run successfully from one MIM instance (where i had run the DPAPI based password ) but fails from the second instance. I had tried the following steps.

    a- Imported the certificate being used for accessing the MIM portal URL(configured in IIS for MIM URL) to local computer from MMC SnapIn. From Advanced tasks given rights to the service account (running the command from Powershell). this i had done for both instances and restarted the IIS.

    Can anyone guide in this regards? 

    RunPowerShellScript : RunScript: Exception in 'RunPowerShellScript : RunScript'. Details: MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.Exceptions.CryptographicException: Key not valid for use in specified state.

    ---> System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

    Friday, February 28, 2020 8:22 AM

All replies

  • You can use the script to test out if you have the right setup - same certificate (thumbprint) across both servers and the imported cert is imported with private keys for the certificate.

    I'd advise not to use MIM Portal SSL cert but use a self-signed cert as an admin might just choose to delete expired SSL certs.

    Friday, February 28, 2020 12:54 PM
  • Hi Nilesh,

    Thanks for the reply . How can i assure the same certificate thumbprint across the 2 servers. Also not clear which keys it uses to encode the data <\mimservice_account>..\..\roaming\microsoft\crypto\rsa\files. 

    If these files are used can i copy the same to the second instance across the same folder structure.

    Sorry for this question as i have limited knowledge about this ?

    Friday, February 28, 2020 2:38 PM
  • I think now I understand what you are doing. No, you cannot use DPAPI based encryption without going thru additional hoops. Check the instructions in the EncryptData.ps1 script located in the scripts folder.

    Better to use certificate based encryption. Also described in EncryptData.ps1.

    Friday, February 28, 2020 2:47 PM