Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
ergustafsson
Partner - Specialist
Partner - Specialist

ADFS SAML - SHA-256 renders "Internal Server Error"?

Hi!

I have successfully set up ADFS SAML SSO, with office365 login. The authentication works fine, going to http://URL/adfs/hub bounces the user to the login site and then back.

However, SHA-1 is not supposed to be widely supported after the end of this year, see https://www.tbs-certificates.co.uk/FAQ/en/sha256.html .

When using SHA-256 it gives me an internal server error, immediately (not bouncing to login site). This single change among the settings renders an error.

Any ideas why?

Found in the C:\ProgramData\Qlik\Sense\Log\Proxy\System\QLIK-SENSE_Service_Proxy.txt file:

Command=Authenticate request;Result=-2147467259;ResultText=Error: The I/O operation has been aborted because of either a thread exit or an application request

See attached for screenshots.

Thanks in advance.

Cheers,

Erik

1 Solution

Accepted Solutions
Not applicable

We found a resolution for this issue! If someone is having a similar issue, try this.

It looks like the issue is with the certificate that you choose under 'Proxy / Security'. Though, the documentation says that the certificate chosen here is merely used for presenting it to the browser, it plays much bigger role than that. The private key and the associated Cryptographic Service Provider in the certificate should support SHA-256 XML signatures. If it doesn't the certificate has to be updated with a different provider. It's very simple running couple of ssl commands.

Look at this link for detailed instructions: SHA-256 and Converting the Cryptographic Service Provider Type

View solution in original post

4 Replies
ergustafsson
Partner - Specialist
Partner - Specialist
Author

internal server error.png

These are the settings.

Not applicable

We are troubleshooting a similar issue. Did you find a resolution for this? Please post your findings.

Our setup is similar to yours except, we use an internal corporate ID provider.

One of the logs (I believe, proxy audit log) shows an error "Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException occurred for connection"!

Clearly, Qlik sense proxy throws an exception before reaching out the ID provider. The error seems to be from one of the dll used by the proxy service. I suspect if Qlik sense cannot read the encrypted signature from Idp meta data.

Any help would greatly appreciated!

Not applicable

We found a resolution for this issue! If someone is having a similar issue, try this.

It looks like the issue is with the certificate that you choose under 'Proxy / Security'. Though, the documentation says that the certificate chosen here is merely used for presenting it to the browser, it plays much bigger role than that. The private key and the associated Cryptographic Service Provider in the certificate should support SHA-256 XML signatures. If it doesn't the certificate has to be updated with a different provider. It's very simple running couple of ssl commands.

Look at this link for detailed instructions: SHA-256 and Converting the Cryptographic Service Provider Type

ergustafsson
Partner - Specialist
Partner - Specialist
Author

Just want to confirm, this was our resolution as well. I was in touch with Qlik Support and we agreed that the actual problem was the Cryptographic Service Provider that's issuing the private key in the certificate was wrong. In order to support SHA-256, it requires a specific one "Microsoft Enhanced RSA and AES Cryptographic Provider". If it is not, the client will try to downgrade to SHA-1 and surely it will fail because the proxy was configured to use SHA256.

The solution is to either re-issue the certificate, or convert it using the method in the article:http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type

Remember to change on the ADFS side as well to SHA-256.