Use a certificate for an external IDP in a cluster environment

When you install XProtect in a single-server environment, the external IDP configuration data is protected using Data Protection API (DPAPI). If you set up the management server in a cluster, the external IDP configuration data must be protected with a certificate to ensure fluent node failover.

For more information about how to generate a certificate, see The Milestone guide about certificates.

You must import the certificate to the personal certificate store and make the certificate trusted on the computer.

To set up the data protection you must add the thumbprint of the certificate to the Identity Provider configuration.

  1. Import the certificate to the personal certificate store and ensure that:

    • the certificate is valid

    • the Identity Provider app pool (IDP) account has permissions to the certificate private key.

    For more information about how to verify if the account has permissions to the certificate private key, see The Milestone guide about certificates.

  2. Locate the appsettings.json file in the installation path of the Identity Provider ([Install path]\Milestone\XProtectManagement Server\IIS\Identity Provider).

  3. Set the certificate thumbprint in the section:

    4. "DataProtectionSettings": {
  "ProtectKeysWithCertificate": {
    "Thumbprint": "" 
  }
},

  1. Repeat step 3 on all management server nodes.

  2. Enforce a node failover to ensure that the certificate setup is correct.

  3. Log in again using the management client and apply the external provider configuration. If the configuration is already applied, you must re-enter the client secret from the external IDP in the management client.

Troubleshooting errors when an external IDP configuration is protected with a certificate

Invalid certificate/expired certificate

If the configured thumbprint certificate represents a certificate that is not trusted or has expired, the Identity Provider cannot start. The Identity Provider log (C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log) will clearly state if the certificate is invalid.

Solution:

Make sure that the certificate is valid and trusted on the computer.

Missing permissions to certificate private keys

The Identity Provider cannot protect data without permissions to the private keys. If the Identity Provider does not have the permission, the following error message is written to the log file of the Identity Provider (C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log):

ERROR- An exception occurred while processing the key element ‘<key id=”[installation specific]” version=”1” />’. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist

Solution:

Make sure the Identity Provider app pool (IDP) account has permissions to the certificate private keys.

Check permissions to a certificate private key:

  1. Select Start on the Windows task bar and open the Manage computer certificates tool (certlm.msc).

  2. Navigate to the personal certificate store and find the certificate that is used for the encryption.

  3. Right-click on the certificate, and select All Tasks > Manage Private Keys.

  4. Under Permissions for, ensure that the Identity Provider app pool (IDP) account has read permissions.