topic Re: ADFS SAML - SHA-256 renders "Internal Server Error"? in Management & Governance

ADFS SAML - SHA-256 renders "Internal Server Error"?

ergustafsson — Mon, 23 May 2016 15:01:43 GMT

Hi!

I have successfully set up ADFS SAML SSO, with office365 login. The authentication works fine, going to http://URL/adfs/hub bounces the user to the login site and then back.

However, SHA-1 is not supposed to be widely supported after the end of this year, see https://www.tbs-certificates.co.uk/FAQ/en/sha256.html .

When using SHA-256 it gives me an internal server error, immediately (not bouncing to login site). This single change among the settings renders an error.

Any ideas why?

Found in the C:\ProgramData\Qlik\Sense\Log\Proxy\System\QLIK-SENSE_Service_Proxy.txt file:

Command=Authenticate request;Result=-2147467259;ResultText=Error: The I/O operation has been aborted because of either a thread exit or an application request

See attached for screenshots.

Thanks in advance.

Cheers,

Erik

Re: ADFS SAML - SHA-256 renders "Internal Server Error"?

ergustafsson — Mon, 23 May 2016 15:02:10 GMT

These are the settings.

Re: ADFS SAML - SHA-256 renders "Internal Server Error"?

Wed, 27 Jul 2016 14:50:11 GMT

We are troubleshooting a similar issue. Did you find a resolution for this? Please post your findings.

Our setup is similar to yours except, we use an internal corporate ID provider.

One of the logs (I believe, proxy audit log) shows an error "Unanticipated ComponentSpace.SAML2.Exceptions.SAMLSignatureException occurred for connection"!

Clearly, Qlik sense proxy throws an exception before reaching out the ID provider. The error seems to be from one of the dll used by the proxy service. I suspect if Qlik sense cannot read the encrypted signature from Idp meta data.

Any help would greatly appreciated!

Re: ADFS SAML - SHA-256 renders "Internal Server Error"?

Wed, 10 Aug 2016 22:19:37 GMT

We found a resolution for this issue! If someone is having a similar issue, try this.

It looks like the issue is with the certificate that you choose under 'Proxy / Security'. Though, the documentation says that the certificate chosen here is merely used for presenting it to the browser, it plays much bigger role than that. The private key and the associated Cryptographic Service Provider in the certificate should support SHA-256 XML signatures. If it doesn't the certificate has to be updated with a different provider. It's very simple running couple of ssl commands.

Look at this link for detailed instructions: SHA-256 and Converting the Cryptographic Service Provider Type

Re: ADFS SAML - SHA-256 renders "Internal Server Error"?

ergustafsson — Wed, 31 May 2017 17:36:04 GMT

Just want to confirm, this was our resolution as well. I was in touch with Qlik Support and we agreed that the actual problem was the Cryptographic Service Provider that's issuing the private key in the certificate was wrong. In order to support SHA-256, it requires a specific one "Microsoft Enhanced RSA and AES Cryptographic Provider". If it is not, the client will try to downgrade to SHA-1 and surely it will fail because the proxy was configured to use SHA256.

The solution is to either re-issue the certificate, or convert it using the method in the article:http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type

Remember to change on the ADFS side as well to SHA-256.