locked
Troubleshooting EncryptData.ps1 Errors RRS feed

  • Question

  • I'm attempting to use certificate-based password encryption for a workflow. 

    I generated a self-signed certificate via PowerShell: 

    New-SelfSignedCertificate -DnsName "mimservice.mydomain.com" -CertStoreLocation "cert:\LocalMachine\My"

    The certificate appears in the cert store:

    PS Cert:\LocalMachine\my> Get-ChildItem
    
       PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my
    
    Thumbprint                                Subject                                                                                                                    
    ----------                                -------                                                                                                                    
    D85B98C4D14FC8C0C44B0318753A14348AAA1A9A  CN=mimservice.mydomain.com                                                                                                 
    85C2F2ED90C98299D2D0F461FB6707FCFCE0590F  CN=ForefrontIdentityManager                                                                                              
    

    I've modified the necessary variables in EncryptData.ps1:

    $walAssemblyVersion = "2.18.318.0"
    $walAssemblyPublicKeyToken = "2139d2e06022f230"
    $encryptionCertThumbprint = "D85B98C4D14FC8C0C44B0318753A14348AAA1A9A" # cert to be used for encryption (from the cert:\localmachine\my\ store).

    When I execute the script, I receive the following error:

    Exception calling "DecryptData" with "1" argument(s): "Invalid provider type specified.
    "
    At F:\SolutionOutput\EncryptData.ps1:44 char:5
    +     $decryptedData = [MicrosoftServices.IdentityManagement.WorkflowAc ...
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : CryptographicException

    $encryptedDataConfig contains what I believe is the proper syntax (cert:\localmachine\my\%thumbprint%,%encrypteddata%), so what is the meaning of the error message?  Is there something wrong with my self-signed certificate?

    Tuesday, August 7, 2018 8:03 PM

Answers

  • .NET 3.5 - the version that MIM and MIMWAL supports - does not natively support CNG certs. I'm guessing that is the reason for this error. Try creating the cert using legacy CSP by specifying the -Provider parameter on the New-SelfSignedCertificate cmdlet. You could specify Microsoft Strong Cryptographic Provider and try.
    Wednesday, August 8, 2018 11:10 AM

All replies

  • .NET 3.5 - the version that MIM and MIMWAL supports - does not natively support CNG certs. I'm guessing that is the reason for this error. Try creating the cert using legacy CSP by specifying the -Provider parameter on the New-SelfSignedCertificate cmdlet. You could specify Microsoft Strong Cryptographic Provider and try.
    Wednesday, August 8, 2018 11:10 AM
  • Thanks Nilesh -- I managed to generate the certificate by specifying the correct provider.

    Edit: https://social.technet.microsoft.com/Forums/en-US/35879a39-ce7d-4509-8baa-f237f70ca1e5/run-powershell-script-activity-keyset-does-not-exist?forum=Mimwal is useful for those who have made it this far.

    I had to modify the cert permissions on the Portal server to allow the account creating the workflow to have read access to the cert.

    • Edited by Chad_Cross Wednesday, August 8, 2018 9:26 PM
    Wednesday, August 8, 2018 8:17 PM