Error 500 - Internal server error in the Hub/QMC when connecting through SAML authentication

pbr — Wed, 12 May 2021 12:36:25 GMT

The most likely cause of this error after installation, and when using SAML, is that Qlik Sense is attempting to use a SHA256 Hashing algorithm and the 3^rd Party Certificate installed for the Proxy does not have the appropriate Cryptographic Providers added to them.

In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider". See under Authentication > SAML signing algorithm section of the documentation Editing a virtual proxy - Qlik Sense for administrators

Environment:

, all versions

Resolution:

Convert the current certificates to use the correct Cryptographic Provider.

Note: The same conversion steps and how to check for the correct provider are documented under SHA-256 and Converting the Cryptographic Service Provider Type

Needed Items:

Certificate with the Private Key in it
Certificate in PFX format
- Note: As long as the Private Key is there and the Cryptographic Providers can be added to the certificate type, and is supported by that type, it doesn’t matter the actual format.
Trusted Root for that certificate is installed on the Proxy Server
OpenSSL (3^rd Party Software)
Logged in as an account with the User/Administrator rights on the machine to run certutil and install/delete certificates

Note: Qlik Sense does NOT create CSRs for Certificate Authorities (CA) to create 3^rd Party SSL certificates. There’s many ways of doing this outside the product. Please consult your CA team for how to request one. Basic instructions are available and provided as-is outside scope of Qlik Support under Qlik Sense: Generating CSR for 3rd Party Certificates.
--

Step 1:

Run from an elevated Command Prompt (CMD): certutil -store -v my > c:\certificate.txt

Step 2:

Search the certificate.txt file for the certificate that will used for Authentication (the installed 3^rd party certificate).

Example of a SHA1 certificate that does not have the proper Cryptographic Provider:
Provider = Microsoft Enhanced Cryptographic Provider v1.0
ProviderType = 1
Unique container name: 67b595f1f5dc08c5b04181220a6a9f6a_13f6a9b2-6308-4b91-b867-c7fe1a974faf
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)

Example of the SHA256 certificate that has the proper Cryptographic Providers:
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
ProviderType = 24
Unique container name: 6c66d03c2de5c8747450e7c12960e4b5_13f6a9b2-6308-4b91-b867-c7fe1a974faf
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)

Note: If the certificate does NOT have Microsoft Enhanced RSA and AES Cryptographic Provider, SAML with SHA256 will NOT work until this provider is used. Qlik does NOT perform this modification and will need to be done outside the product. Steps below are provided as-is and can be followed as general guidelines.

This example is going to use a 3^rd Party tool called OpenSSL (https://wiki.openssl.org/index.php/Binaries - 3rd Party Tool OpenSSL – NOT supported by Qlik). You can try different ways of requesting or making the change by other means.

Step 3:

Converting a PFX file to a PEM file and adding the correct Cryptographic Providers:

Command line:

cd C:\OpenSSL-Win64\bin
- Default install location for Win64OpenSSL_Light-1_1_0f.exe install path (can be changed during installation)
  - Different versions may do different functions, this one was picked for its small size and performed the functions needed in a 64 bit OS. (Current version as of 10/31/2017)
openssl pkcs12 -in c:\3rdsslcert.pfx -out c:\3rdsslcert-new.pem
- Converts the PFX file to a PEM file.
  - Note: You will need the Import Password to have access to the Private Key. This is supplied by the CA when the certificate is generated. If the password is not supplied, the certificate cannot be used.
openssl pkcs12 -export -in c:\3rdsslcert-new.pem -out c:\3rdsslcert-new.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
- Converts the PEM file back to PFX and adding the correct Cryptographic Providers.

Step 4:

Shut down the services for the node you will need to replace the certificate on.
Delete the old version of the certificate and install the new one.
Restart the services.
- The thumbprint will not change as the certificate is the same, but the Cryptographic Providers have been added. You do not need to change anything in the QMC.
  - However, if this is a new certificate entirely, you will need to replace the Thumbprint for the old certificate with the new one in the Proxy settings in the QMC.
Verify in the Hub/QMC that it’s using the installed certificate with no issues.

Step 5:

Verify that the Virtual Proxy for SAML is correctly configured to use SHA256.
Verify that the SAML IdP and Entity for that Virtual Proxy is configured to use SHA256.
- Some IdPs use certificate data inside the metadata provided by Qlik Sense. If you change the certificate (even modifying it for this article) in any way, the SP metadata (From the SAML VP in the QMC) should be regenerated and reimported to the IdP.
  - Note: Some IdPs don’t need this information, but some do. When in doubt, reimport metadata from either the IdP/SP to the other to ensure it’s all up to date.
Attempt to log into the Virtual Proxy and the SAML provider.

Cause:

Special Notes:

Internal 500 Errors are normally caused by the SSL certificate bound to the Proxy Service. While it may not be the issue documented in this article, there may be another with it that’s linked. Verifying different certificates (EX: Sense Self-Signed instead of a CA generated one) or SHA1 vs SHA256 on the IdP or Sense side, will help narrow down where the issue lies.
IdP certificates CAN expire and if that happens, Qlik Sense needs the updated metadata from it.

article Error 500 - Internal server error in the Hub/QMC when connecting through SAML authentication in Official Support Articles

Error 500 - Internal server error in the Hub/QMC when connecting through SAML authentication

Environment:

Resolution:

Cause:

Related Content:

Qlik Sense SAML Integration fails with 500 Internal Server Error, Unanticipated ComponentSpace.SAML2.Exceptions.SAMLBindingException