Intermittent Azure AD B2C exceptions: IDX10614: AsymmetricSecurityKey.GetSignatureFormater() throws an exception

Question

We're using AAD B2C with custom policies for some time now, and everything worked as it should, but all of a sudden we started getting exceptions on sign-in policy. To make things worse, sometimes it does work but 4 out of 5 times we get an exception.

We managed to dig the error by linking policies to Application Insights, and here's what we got:

"Kind": "FatalException",
    "Content": {
      "Time": "9:05 PM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80131509",
        "Message": "IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.\nKey: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.\nException:'System.Security.Cryptography.CryptographicException: Invalid provider type specified.\r\n\r\n   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)\r\n   at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.\nIf you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available.",
        "Data": {},
        "Exception": {
          "Kind": "Handled",
          "HResult": "80090014",
          "Message": "Invalid provider type specified.\r\n",
          "Data": {}
        }
      }
    }

I'm not sure what has changed or how suddenly this started happening. It doesn't matter if we use incognito mode or not.

Also, no outages reported on Microsoft's end.

Any clues will be highly appreciated!

Answer 1

Solved with information found here: StackOverflow question

Since we were also using Invite Flow, I used the New-SelfSignedCertificate command noted there.

Now I have regenerated the certificate by using information from this Microsoft doc and appending Provider parameter from that StackOverflow thread above:

PS C:\WINDOWS\system32> New-SelfSignedCertificate `
>>     -KeyExportPolicy Exportable `
>>     -Subject "CN=***.onmicrosoft.com" `
>>     -KeyAlgorithm RSA `
>>     -KeyLength 2048 `
>>     -KeyUsage DigitalSignature `
>>     -NotAfter (Get-Date).AddMonths(24) `
>>     -CertStoreLocation "Cert:\CurrentUser\My" `
>>     -Provider "microsoft enhanced rsa and aes cryptographic provider"

Although I'm not sure why this suddenly stopped working out of nowhere, I guess it could be that Microsoft updated something on their end.

Anyways, it seems it works now, so we'll see.