AD FS 和憑證 KeySpec 屬性資訊AD FS and certificate KeySpec property Information

按鍵規格 (」 KeySpec 」) 是憑證與鍵相關聯的屬性。Key Specification (“KeySpec”) is a property associated with a certificate and key. 它會指定憑證相關聯的私密金鑰可用來登入、 加密,或兩者。It specifies whether a private key associated with a certificate can be used for signing, encryption, or both.

例如,不正確的 KeySpec 值可能會造成 AD FS 和 Web 應用程式 Proxy 錯誤:An incorrect KeySpec value can cause AD FS and Web Application Proxy errors such as:

  • AD FS 事件登入 (但 SChannel 36888 和 36874 事件可能登入) 的建立 SSL 日 TLS 連接 AD FS 或應用程式網路 Proxy,失敗Failure to establish a SSL/TLS connection to AD FS or the Web Application Proxy, with no AD FS events logged (though SChannel 36888 and 36874 events may be logged)
  • AD FS 或 WAP 登入失敗形成根據的驗證] 頁面上,以顯示在頁面上的任何錯誤訊息。Failure to login at the AD FS or WAP forms based authentication page, with no error message shown on the page.

您可能會看到事件木頭中的動作:You may see the following in the event log:

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          2/12/2015 9:03:08 AM
Event ID:      67
Task Category: None
Level:         Error
Keywords:      ADFSProtocol
User:          S-1-5-21-3723329422-3858836549-556620232-1580884
Computer:      ADFS1.contoso.com
Description:
Ignore corrupted SSO cookie.

問題的原因What causes the problem

KeySpec 方便的按鍵發生或擷取由 Microsoft CryptoAPI (CAPI),從 Microsoft 舊版密碼編譯儲存提供者 (CSP),可以使用方式。The KeySpec property identifies how a key generated or retrieved by Microsoft CryptoAPI (CAPI), from a Microsoft legacy Cryptographic Storage Provider (CSP), can be used.

KeySpec 值為1,或AT_KEYEXCHANGE,可用於簽署及加密。A KeySpec value of 1, or AT_KEYEXCHANGE, can be used for signing and encryption. 2,或AT_SIGNATURE,僅用來登入。A value of 2, or AT_SIGNATURE, is only used for signing.

最常見的 KeySpec 錯誤設定所使用的值為 2 的簽署憑證權杖以外的憑證。The most common KeySpec mis-configuration is using a value of 2 for a certificate other than the token signing certificate.

對於使用密碼編譯下一代 (CNG) 提供者程式其鍵憑證,還有金鑰規格的概念,並 KeySpec 值一定會零。For certificates whose keys were generated using Cryptography Next Generation (CNG) providers, there is no concept of key specification, and the KeySpec value will always be zero.

了解如何檢查 KeySpec 有效值下方。See how to check for a valid KeySpec value below.

範例Example

範例舊版 CSP 為 Microsoft 增強密碼編譯提供者。An example of a legacy CSP is the Microsoft Enhanced Cryptographic Provider.

Microsoft RSA CSP 大型物件格式包含識別字演算法,請CALG_RSA_KEYXCALG_RSA_SIGN,分別服務要求其中一個 * * AT_KEYEXCHANGE * * 或AT_SIGNATURE鍵。Microsoft RSA CSP key blob format includes an algorithm identifier, either CALG_RSA_KEYX or CALG_RSA_SIGN, respectively, to service requests for either AT_KEYEXCHANGE **or **AT_SIGNATURE keys.

RSA 演算法識別碼,如下所示對應至 KeySpec 值The RSA key algorithm identifiers map to KeySpec values as follows

支援的提供者演算法Provider supported algorithm 適用於 CAPI 通話鍵規格值Key Specification value for CAPI calls
可用來登入和解密 CALG_RSA_KEYX: RSA 鍵CALG_RSA_KEYX : RSA key that can be used for signing and decryption AT_KEYEXCHANGE (或 KeySpec = 1 台)AT_KEYEXCHANGE (or KeySpec=1)
僅限金鑰的 CALG_RSA_SIGN: RSA 簽章CALG_RSA_SIGN : RSA signature only key AT_SIGNATURE (或 KeySpec = 2)AT_SIGNATURE (or KeySpec=2)

KeySpec 值和相關的意義。KeySpec values and associated meanings

以下是各種 KeySpec 值的意義︰The following are the meanings of the various KeySpec values:

Keyspec 值。Keyspec value 表示Means 建議使用的 AD FS 使用Recommended AD FS use
00 憑證的 CNG 憑證The certificate is a CNG cert 僅限 SSL 憑證SSL certificate only
11 適用於傳統 CAPI (非 CNG) 憑證,按鍵可用來登入和解密For a legacy CAPI (non-CNG) cert, the key can be used for signing and decryption SSL,預付碼簽章權杖解密,服務通訊憑證SSL, token signing, token decrypting, service communication certificates
22 適用於傳統 CAPI (非 CNG) 憑證,可以使用按鍵僅適用於登入For a legacy CAPI (non-CNG) cert, the key can be used only for signing 不建議not recommended

若要查看您的憑證 KeySpec 值如何 / 下鍵How to check the KeySpec value for your certificates / keys

若要查看憑證值,您可以使用certutil命令列工具。To see a certificates value you can use the certutil command line tool.

以下是範例: certutil-v – 儲存我The following is an example: certutil –v –store my. 這會傾印畫面憑證的資訊。This will dump the certificate information to the screen.

Keyspec 憑證

在 CERT_KEY_PROV_INFO_PROP_ID 尋找兩個項目:Under CERT_KEY_PROV_INFO_PROP_ID look for two things:

  1. 提供者類型:這表示還是憑證使用舊版的密碼編譯儲存提供者 (CSP) 的金鑰儲存提供者以在較新的憑證下一代 (CNG) Api。ProviderType: this denotes whether the certificate uses a legacy Cryptographic Storage Provider (CSP) or a Key Storage Provider based on newer Certificate Next Generation (CNG) APIs. 任何為零表示舊版的提供者。Any non-zero value indicates a legacy provider.
  2. KeySpec: AD FS 憑證 KeySpec 有效值如下:KeySpec: The following are valid KeySpec values for an AD FS certificate:

    舊版 CSP 提供者 (如提供者類型為 0 不相同):Legacy CSP provider (ProviderType not equal to 0):

    AD FS 憑證用途AD FS Certificate Purpose 有效 KeySpec 值Valid KeySpec Values
    服務通訊Service Communication 11
    權杖解密Token Decrypting 11
    權杖登入Token Signing 1 到 21 and 2
    SSLSSL 11

    CNG 提供者 (提供者類型 = 0):CNG provider (ProviderType = 0):

    AD FS 憑證用途AD FS Certificate Purpose 有效 KeySpec 值Valid KeySpec Values
    SSLSSL 00

如何變更您的憑證 keyspec 支援的值How to change the keyspec for your certificate to a supported value

變更 KeySpec 值,不需要的憑證會重新發生,或重新是發行憑證授權單位。Changing the KeySpec value does not require the certificate to be re-generated or re-issued by the Certificate Authority. 變更 KeySpec 重新匯入的完整憑證和 PFX 檔案從私密金鑰憑證存放區,使用下列步驟:The KeySpec can be changed by re-importing the complete certificate and private key from a PFX file into the certificate store using the steps below:

  1. 首先,查看並錄製現有的憑證的私人按鍵權限,它們可以重新設定必要之後重新匯入。First, check and record the private key permissions on the existing certificate so that they can be re-configured if necessary after the re-import.
  2. 匯出包括私密金鑰檔案 PFX 憑證。Export the certificate including private key to a PFX file.
  3. 執行下列步驟針對每個 AD FS 和 WAP 伺服器Perform the following steps for each AD FS and WAP server
    1. Delete 憑證 (從 AD FS 日 WAP 伺服器)Delete the certificate (from the AD FS / WAP server)
    2. 打開提升權限的 PowerShell 命令提示字元及匯入 PFX 檔案,使用下列 cmdlet 語法,指定 AT_KEYEXCHANGE 值 (適用於所有 AD FS 憑證目的) 每個 AD FS 和 WAP 伺服器上:Open an elevated PowerShell command prompt and import the PFX file on each AD FS and WAP server using the cmdlet syntax below, specifying the AT_KEYEXCHANGE value (which works for all AD FS certificate purposes):
      1. C:\ > certutil-importpfx certfile.pfx AT_KEYEXCHANGEC:>certutil –importpfx certfile.pfx AT_KEYEXCHANGE
      2. 輸入 PFX 密碼Enter PFX password
    3. 上述完成之後,執行下列動作Once the above completes, do the following
      1. 檢查私人按鍵權限check the private key permissions
      2. 重新開機 adfs 或 wap 服務restart the adfs or wap service