Directory Server SAML login throws "Keyset does not exist" error when authentication request signing is enabled

March 21, 2022 | KB: 1014366

https://support.laserfiche.com/kb/1014366/directory-server-saml-login-throws-keyset-does-not-exist-error-when-authentication-request-signing-is-enabled

Directory Server 10, Directory Server 11

If a Laserfiche Directory Server (LFDS) SAML SSO configuration has the "Sign authentication request" option enabled, and the Laserfiche Directory Server service account does not have the "Read" permission on the private key of the specified certificate, selecting the SAML option on the LFDSSTS login page throws a "Keyset does not exist" error.

The error may also appear in the following Event Log channels under "Applications and Services Logs":

Laserfiche > Directory Service > Server > Operational trace
Laserfiche > Directory Service > WebSTS > Operations

Grant the Laserfiche Directory Server service account the "Read" permission on the signing certificate's private key.

To grant private key permissions

Open the Certificates MMC Snap-in.
Expand "Certificates (Local Computer) > Personal > Certificates".
Right-click the certificate and select "All Tasks > Manage Private Keys".
Add the LFDS service account to the group and user list (by default, the built-in NETWORK SERVICE account)
Select the service account user and grant it the "Read" permission
Select "OK"

The permissions change takes effect immediately. It is not necessary to restart the Laserfiche Directory Server service or recycle its IIS application pools.