If you are struggling to resolve a 500 Error when accessing the Business Tools from your Sitecore CMS, there may be a surprising reason for it. Typically, a Sitecore PaaS environment has a self signed certificate for communication in between Apps. This is set via the ARM template when the environment is deployed, but may also be updated when the certificate expires. How this certificate is created matters.
How do I know if my BizFx 500 error is a certificate error?
The usual indicator is that when you click on the Business Tools link or enter the BizFx App Service URL into a browser, it will provide a 500 error and the URL will actually be the identity service struggling with the token that is being passed. If you are redirected to a long URL that starts with your identity service URL, open up the Identity Service logs and look for something like the following:
Unhandled exception: "System.Security.Cryptography.CryptographicException: Invalid provider type specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey() at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_HasPrivateKey() at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.HasPrivateKey(SecurityKey key) at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures) at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures) at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) at IdentityServer4.Services.DefaultTokenCreationService.<CreateTokenAsync>d__4.MoveNext() --- End of stack trace from previous location where exception was thrown ---
The ” Unhandled exception: “System.Security.Cryptography.CryptographicException: Invalid provider type specified” is an indicator that the self signed cert used for communication between the apps may not have the proper provider.
How to add the correct provider
When you create the self signed certificate used for communication between App Services it needs a valid provider (don’t forget to add the cert to each App Service, set the WEBSITE_LOAD_CERTIFCATES value to the thumbprint, and update the thumbprint across all your roles).
If you use the default/don’t declare the provider, it will state something akin to not passing checks when you evaluate the certificate. Use Microsoft’s CertUtil to dump the information on your certificate and see if it is valid: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
The key is to set the following provider when creating your certificate:
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
A full self signed certificate generation could look as follows:
$SelfSignedCert = New-SelfSignedCertificate -DnsName $ApplicationDisplayName -CertStoreLocation cert:\LocalMachine\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
With the provider declared, use the CertUtil to validate that it is passing checks and place this in each App Service role, while updating the aforementioned thumbprints and WEBSITE_LOAD_CERTIFICATES value before restarting each App Service for it to take effect.
This should resolve the certificate errors in Identity Server and allow your Business Tools/BizFx to properly load and not give you a 500 error.