System.Security.Cryptography.CryptographicException: An internal error occurred

Hi Chris,

What user account is the Octopus Portal application pool running as under IIS? Does changing it to Local Service work? It sounds like the account may be missing some permissions.

Paul

I did change the user account that the site was running as to a domain account (that is also a local admin on the Octopus web server) so that we could read the NuGet feed on a file share on a different server. I did change the credentials back to LocalService and the “Environments” and “Certificates” links are now working, but my Nuget Feed location is not.

Specifying the security credentials did not seem to work for the NuGet feed.

After changing the AppPool credential to the domain user I started to see my NuGet packages on the remote server. But can no longer access those two directories.

Hi Chris,

Awesome, that narrows it down. Can you try changing back to the domain user, and also making the domain user a local administrator on the machine? That should allow it to read private keys from the cert store.

Paul

Sent from my Windows Phone


From: Chris Inman
Sent: 17/07/2012 18:25
To: Paul Stovell
Subject: Re: System.Security.Cryptography.CryptographicException: An internal error occurred. [Problems]

Sorry Chris, I just saw that you already said the user is a local admin. I’ll get back to you

Paul

Hi Chris,

In your App Pool settings, after changing the user identity to your custom domain user/local admin, is “Load User Profile” set to true?

Paul

Changing back to the domain user with the Admin rights on the Octopus Web server and restarting IIS fixed the NuGet feeds but once again broke “Environments” and “Certificates”.

Let me know, thanks
Chris

It is set to false, see screen shot below:

Chris

Thanks Chris,

Does changing it to ‘true’ and performing an IISReset fix the issue?

I suspect the user profile needs to be loaded so that the account can access its certificate key store.

Paul

I set the value to ‘true’ and IISReset , still no luck.

The profile for the user is a temporary profile.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The profile for the user is a temporary profile.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The profile for the user is a temporary profile.
]
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +41
System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +372
Octopus.Core.Model.Security.Certificate.Decode(String base64Encoded) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Core\Model\Security\Certificate.cs:44
Octopus.Core.Model.Security.Certificate.CreateX509Certificate() in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Core\Model\Security\Certificate.cs:32
Octopus.Portal.Models.Environments.EnvironmentListModelBuilder.CreateFrom(IList1 environments, Certificate certificate) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Portal\Models\Environments\EnvironmentListModelBuilder.cs:14 Octopus.Portal.Controllers.EnvironmentsController.Index() in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Portal\Controllers\EnvironmentsController.cs:28 lambda_method(Closure , ControllerBase , Object[] ) +79 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +248
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +39 System.Web.Mvc.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() +125 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +312
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +691
System.Web.Mvc.Controller.ExecuteCore() +162
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +305
System.Web.Mvc.<>c__DisplayClassb.b__5() +62
System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +20
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +469
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +375

Hi Chris,

Thanks for the update, I’ll do a release in about an hour that should hopefully fix this issue.

Paul


From: Chris Inman
Sent: 17/07/2012 19:41
To: Paul Stovell
Subject: Re: System.Security.Cryptography.CryptographicException: An internal error occurred. [Problems]

Sounds good, thanks Paul.

Hi Chris,

Can you try installing this version of Octopus, to see if the issue is fixed?

Paul

I’ll give it a shot when I get to the office in the morning. I had problems when pointing to the releases on the file share during a test deployment with 6 packages, 3 releases failed in a row because the packages couldn’t be found during the download phase but showed up in the UI, once I manually copied the files locally to the Octopus web server and changed the feed, the 6 packages deployed successfully. The AppPool is running as the domain user with full rights to the remote share and the Octopus server.

Chris

No Joy on accessing “Environments” or “Certificates” after the update to 1.019.1297. Package pull from the remote server is also still throwing errors, when I copy the packages local to the web server they work fine.

Pulling packages local to the web server-GOOD

Download package WebAdmin.Web 3.3.2.13359 from NuGet feed: LocalFeed Prototype
2012-07-18 12:29:19 INFO Downloading NuGet package WebAdmin.Web 3.3.2.13359 from feed: 'C:\Octopus\Builds\USAJ-Prototype’
2012-07-18 12:29:19 DEBUG Downloaded packages will be stored in: C:\Octopus\Data\PackageCache
2012-07-18 12:29:19 DEBUG Finding package (attempt 1 of 5)
2012-07-18 12:29:20 DEBUG Found package WebAdmin.Web version 3.3.2.13359
2012-07-18 12:29:20 DEBUG Downloading to: C:\Octopus\Data\PackageCache\WebAdmin.Web.3.3.2.13359_592A07151B6AF74186225E6EFB492023.nupkg
2012-07-18 12:29:20 DEBUG SHA1 hash is: 7d3fb5cceeb418e2f7d53d8fd99bcb42d81f84d6
2012-07-18 12:29:20 INFO Download complete.

Pulling packages from remote share-BAD

2012-07-18 12:53:16 ERROR Unable to download package: Could not find package WebAdmin.Web 3.3.2.13359 in feed: ‘\remoteServer\Builds\USAJ-Prototype’ System.Exception: Could not find package WebAdmin.Web 3.3.2.13359 in feed: '\remoteServer\Builds\USAJ-Prototype’
at Octopus.Server.Tasks.Deploy.DownloadPackageActivity.FindPackage(Int32 attempt) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Server\Tasks\Deploy\DownloadPackageActivity.cs:line 118
at Octopus.Server.Tasks.Deploy.DownloadPackageActivity.AttemptToFindAndDownloadPackage(Int32 attempt, String cacheDirectory, IPackage& downloadedPackage, String& path) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Server\Tasks\Deploy\DownloadPackageActivity.cs:line 98
at Octopus.Server.Tasks.Deploy.DownloadPackageActivity.AttemptToDownload() in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Server\Tasks\Deploy\DownloadPackageActivity.cs:line 62
2012-07-18 12:53:17 DEBUG Finding package (attempt 2 of 5)

Accessing “Environments” or “Certificates”

Server Error in ‘/’ Application.

The profile for the user is a temporary profile.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The profile for the user is a temporary profile.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The profile for the user is a temporary profile.
]
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +41
System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +372
Octopus.Core.Model.Security.Certificate.Decode(String base64Encoded) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Core\Model\Security\Certificate.cs:44
Octopus.Core.Model.Security.Certificate.CreateX509Certificate() in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Core\Model\Security\Certificate.cs:32
Octopus.Portal.Models.Environments.EnvironmentListModelBuilder.CreateFrom(IList1 environments, Certificate certificate) in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Portal\Models\Environments\EnvironmentListModelBuilder.cs:14 Octopus.Portal.Controllers.EnvironmentsController.Index() in c:\BuildAgent\work\7bf5272a44079f5\source\Octopus.Portal\Controllers\EnvironmentsController.cs:28 lambda_method(Closure , ControllerBase , Object[] ) +79 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +248
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +39 System.Web.Mvc.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() +125 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +640 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +312
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +691
System.Web.Mvc.Controller.ExecuteCore() +162
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +305
System.Web.Mvc.<>c__DisplayClassb.b__5() +62
System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +20
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +469
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +375

Hi Chris,

Thanks for doing the shared screen session with me today, I believe this is resolved.

For anyone else who comes across this issue, the problem seemed to be that the domain user was being assigned a profile path of C:\Users\Temp instead of C:\Users\<username>.

To resolve it, we:

  1. Stopped all services that were using the account, so that it was not logged in anymore
  2. Logged in to the machine interactively as that account
  3. Checked that the path was no longer C:\Users\Temp
  4. Switched the services to use the domain user again, and started them

As to why the user was given a temporary profile in the first place, I’m not sure, but once we were able to log on interactively it seemed to go away.

The profile is needed because private keys are temporarily loaded into the user’s profile when the application is running, which is not supported when the user is running under a temporary profile.

Paul

Use this code

certificate = new X509Certificate2(System.IO.File.ReadAllBytes(p12File),
p12FilePassword
, X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

I got the same error after installing the latest, how do you verify #3 ?

  1. Checked that the path was no longer C:\Users\Temp

Just received this error on new install. Changing Octopus Portal Application Pool identity to LocalService solved it

Thanks all, we should have this finally fixed in our next release.

Paul