Skip to content
August 9, 2019 / kiranpatils

Sitecore 91 Azure PaaS Identity service error

Challenge:

Recently we were trying to setup Sitecore 9.1 (XP Single) on Azure PaaS with Sitecore’s ARM Template : https://github.com/Sitecore/Sitecore-Azure-Quickstart-Templates/tree/master/Sitecore%209.1.1/XPSingle

We were able to run setup successfully. But post login, it was showing blank screen. Instead of Sitecore Launchpad.

And we noticed following error on Identity server:

019-08-05T21:02:26.6633964+00:00 [FTL] (Sitecore STS/RD0003FF6419BC) Unhandled exception: “IDX10630: The ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ for signing cannot be smaller than ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ bits. KeySize: ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’.
Parameter name: key.KeySize”
System.ArgumentOutOfRangeException: IDX10630: The ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ for signing cannot be smaller than ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ bits. KeySize: ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’.
Parameter name: key.KeySize
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.ValidateAsymmetricSecurityKeySize(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
   at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
   at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
   at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
   at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, String authorizationCode)
   at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateHybridFlowResponseAsync(ValidatedAuthorizeRequest request)
   at IdentityServer4.ResponseHandling.AuthorizeResponseGenerator.CreateResponseAsync(ValidatedAuthorizeRequest request)
   at IdentityServer4.Endpoints.AuthorizeEndpointBase.ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
   at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
   at IdentityServer4.Endpoints.AuthorizeCallbackEndpoint.ProcessAsync(HttpContext context)
   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
2019-08-05T21:02:26.6665182+00:00 [ERR] (Sitecore STS/RD0003FF6419BC) Connection id “”0HLOPSKHN4OKD””, Request id “”0HLOPSKHN4OKD:00000005″”: An unhandled exception was thrown by the application.
System.ArgumentOutOfRangeException: IDX10630: The ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ for signing cannot be smaller than ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’ bits. KeySize: ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’.
Parameter name: key.KeySize

If you are also facing similar issue or noticing same error, then this post may have a solution for you.

Solution:

To troubleshoot this further, we had to look at each role to find out what was going on under the hood:

  1. CM Server:
    1. Logs : We were not able to find anything useful. Config file : We checked Config file here \App_Config\Sitecore\Owin.Authentication.IdentityServer\Sitecore.Owin.Authentication.IdentityServer.config and it also had nothing suspicious.
  2. Identity Server :
    1. We could see above listed error in Identity server’s log

It was tough to decrypt that error. Because it’s not general stack trace. So, thought to do quick google search and found only one link, which was related to Sitecore.

Once we couldn’t find anything. We thought to reach out to Sitecore and they were able to help us.

This is what Sitecore support shared:

Looking at the exception it seems the same issue reported here:
https://github.com/IdentityServer/IdentityServer3/issues/2845

In order to solve it you will need a new certificate with 2048 bits key length.

We checked our Certificate and it was using 1024 bits. And as soon as we generated new certificate with 2048, reinstalled Sitecore app and we were able to fix this error.

One more thing — When you delete app from portal. It doesn’t clean certificate. So, before redeploying your app with new certificate. Please make sure all old certificated are deleted.

Hope this helps!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: