You are viewing limited content. For full access, please sign in.

Question

Question

ID4037: The Key needed to verify the signature could not be resolved

asked on November 13, 2019

I am configuring the web client to use SSO in a DMZ environment. There is an STS on the same server as well as a Forms installation. Forms is configured to use SSO and is working as expected, but I am getting an error message in the web client. When I browse to the /Laserfiche address I click on the option to sign in using Directory Server and it takes me to the STS. After entering in a username and password it redirects me back to the Web Client page. In the Web Client-> Server-> Operational log it has the error ID4037: The key needed to verify the signature could not be resolved from the following security key identifier "SecurityKeyIdentifier...'

Has anyone seen that error before or have any ideas of how to fix it? I have verified that the Web Client IIS App Pool has full rights to the certificate in question.

0 0

Answer

SELECTED ANSWER
replied on January 3, 2020 Show version history

Adding DNS information to the web client's client.config file fixed this issue. It is located in the ..\Web Access\Web Files\client.config file.

0 0

Replies

replied on December 4 Show version history

Just in case it helps someone down the road, I ran into this same error recently and the issue was that the date/time between the DMZ server and the internal LFDS machine was different - LFDS was about 5 minutes and 10 seconds ahead of the DMZ server. The only place this error was logged was in the web client logs in Event Viewer - neither STS nor Forms said anything about it, even though Forms would result in the same redirect loop that the web client would when logging in.

This particular customer was in the middle of disaster recovery efforts and was running on off-site servers that just weren't quite in sync with other servers. Not quite the same symptom you had - we were getting a redirect loop when logging in and the app we would try to login to would never load. Same error message though. Nothing else had changed - certificates were still good, app pools still had proper permissions to the certificate. But I spent 3 hours on it so wanted to post it here to maybe save someone else that time!

1 0
replied on November 14, 2019 Show version history

Could you please post the full message from the error log, including the stack trace? Seeing the actual function throwing the error can sometimes provide more insight into what's happening.

0 0
replied on November 14, 2019

Log Name:      Laserfiche-WebClient-Server/Operational
Source:        Laserfiche-WebClient-Server
Date:          11/13/2019 10:21:46 PM
Event ID:      3
Task Category: ImportantError
Level:         Error
Keywords:      Session0,Session1,Session2,Session3
User:          IIS APPPOOL\WebAccessAppPool
Computer:      XXX
Description:
ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
Operation: /laserfiche/
  Message: Exception encountered, stack trace:
  Laserfiche.WebAccess.Global.Application_Error
  System.EventHandler.Invoke
  System.Web.HttpApplication.RaiseOnError
  System.Web.HttpApplication.RecordError
Exception details:
  Message: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
  Stack trace:    at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
   at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
   at System.IdentityModel.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration)
   at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request)
   at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Laserfiche-WebClient-Server" Guid="{e1931bbe-b561-55ce-776e-86d128b8cd81}" />
    <EventID>3</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>65531</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000f00000000000</Keywords>
    <TimeCreated SystemTime="2019-11-14T03:21:46.400494400Z" />
    <EventRecordID>319</EventRecordID>
    <Correlation />
    <Execution ProcessID="6192" ThreadID="6244" />
    <Channel>Laserfiche-WebClient-Server/Operational</Channel>
    <Computer>XXXX</Computer>
    <Security UserID="XXXX" />
  </System>
  <EventData>
    <Data Name="message">ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
Operation: /laserfiche/
  Message: Exception encountered, stack trace:
  Laserfiche.WebAccess.Global.Application_Error
  System.EventHandler.Invoke
  System.Web.HttpApplication.RaiseOnError
  System.Web.HttpApplication.RecordError
Exception details:
  Message: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
  Stack trace:    at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
   at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
   at System.IdentityModel.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration)
   at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request)
   at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

</Data>
  </EventData>
</Event>

0 0
replied on November 14, 2019

Can you run .\Program Files\Laserfiche\Web Access\EndpointUtility.exe and verify the STS config settings are correct/match what you did for Forms?

If you're using the LFDS Alternate Binding (certificate auth) which I think you are, double check that the correct cert is selected in the Web Client EndpointUtility config.

0 0
replied on November 14, 2019

Yes, the value in the Laserfiche Directory Server Address has the DMZ server address in it, there is no value in Service user's principal name, and the option for Alternate Service is selected with the correct Certificate selected.

0 0
replied on November 14, 2019

I noticed you said both the Internal and DMZ server are running Windows Server 2019 in the support case you filed for this issue. Server 2019 appears to disable TLS version 1.0 and 1.1 by default. Please try running the following PowerShell commands to force Web Client to use TLS 1.2:

# ----------------------------------------------------------------------
# Set .NET Framework Schannel (TLS) reg keys
# ----------------------------------------------------------------------
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

Those set the last set of reg keys described here:

https://support.laserfiche.com/kb/1013919/configuration-information-for-tls-1-2

Might need to restart the server for the change to take effect.

0 0
replied on November 14, 2019 Show version history

Web Client 10.4.1 doesn't support authenticating with STS in the DMZ over TLS 1.2, but Forms 10.4.1 does.  If TLS1.0 and 1.1 are disabled on your server, that would explain why Forms can authenticate through STS but Web Client cannot. We added support for this in Web Client 10.4.2.

 

As a troubleshooting step, I'd recommend explicitly enabling TLS 1.1 on the DMZ machine and the LFDS machine (you can disable it again right after testing). To enable it, follow the directions here under 'Turn on TLS 1.2', except tweak the registry path for TLS 1.1 (i.e. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client, etc). Recycle the app pool or reset IIS after the registry change. If Web Client can authenticate after adding the keys with no other changes, the problem is TLS 1.2. Be sure to allow it under both Client and Server keys on DMZ and LFDS machine. 

 

0 0
replied on November 14, 2019

I ran the PowerShell script and restarted the server and I get the same result as before. I will try Ryan's suggestion next.

1 0
replied on November 14, 2019

Do I also need to follow the instructions under 'Enable TLS 1.2 by default for WinHTTP' and 'Block RC4 in .NET TLS'?

0 0
replied on November 14, 2019

You shouldn't. I recall that RC4 is blocked by default in Server 2019. I don't think WinHTTP plays any role in the STS handshake, though it certainly wouldn't hurt to enable TLS 1.2 there anyway. 

0 0
replied on November 14, 2019 Show version history

I followed the instructions from the KB article on both servers and followed Ryan's instructions, but no luck.

0 0
SELECTED ANSWER
replied on January 3, 2020 Show version history

Adding DNS information to the web client's client.config file fixed this issue. It is located in the ..\Web Access\Web Files\client.config file.

0 0
replied on January 3, 2020

Thanks for the update Blake, glad you were able to resolve the issue. Can you elaborate on what specifically "Adding DNS information" means here?

0 0
replied on January 3, 2020

The information is in the SSO whitepaper, but essentially adding the following:

<identity>
<dns value="company.com" />
</identity>

1 0
replied on July 15, 2020

Blake, do you recall where in the Web Client web.config file did you add the identity?

0 0
replied on July 15, 2020

You add it inside the affected endpoints:

<endpoint
address="https://subdomain.domain.net/SampleServiceName" …> 
  <identity>
    <dns value="www.subdomain.domain.net"/>
  </identity>
</endpoint>

 

1 0
replied on July 15, 2020

I couldn't find any 'endpoints' in the web.config file located in C:\Program Files\Laserfiche\Web Access\Web Files.

Am I looking at the wrong location? I only found the endpoints in the web.config for the WebSTS.

0 0
replied on March 6, 2021

I updated the answer to this thread to be more specific. It is located in the ..\Web Access\Web Files\client.config file.

0 0
replied on August 24, 2021

Just posting in case it's helpful.  We had the same issue today, and it ended up being exactly what Ryan at Laserfiche described above.  They have Forms and WebAccess on the DMZ.  WebAccess all of a sudden stopped working after a reboot.  Ended up determining from this post that Forms was on 10.4.3 and WebAccess had been left at 10.4.0 which does not support STS over TLS 1.2.  At some point their IT had disabled TLS 1.0 and 1.1 and did not take effect until the reboot happened.  Upgrading to Web Access 10.4.2 immediately resolved the problem.

2 0
replied on October 24, 2020

I have no idea here. We do not use www. as part of a subdomain so I don't think that is the problem. I am getting this error when trying to login and it really doesn't make any sense. What key? A key is just a term for something that opens a door. I need more context to troubleshoot this, it is such a random error.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.