Using the latest Indicum-version on SF 2025.2.
We added the following to appsettings.json (PROD env):
"DataProtectionSettings": {
"LocalFileSystem": {
"StorageLocation": "C:\\Thinkwise\\PROD\\iis-dataprotection\\indicium-keys-PROD",
}
}After recycling Indicium a key-{guid}.xml has been created.
We added a “Client Application” with grant type “Client credentials” and linked our API-user to it.
For some reasons this is working in our Acceptance environment, but trying to set it up in Production results into the following error:
2026-01-27T14:53:44.4862101+01:00 80000c72-0001-e800-b63f-84710c7967bb [FTL] Unhandled exception: "The system cannot find the file specified." (9b1fe9ee)
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at Indicium.StartupExtensions.generateCertificate(String certificateName) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 439
at Indicium.StartupExtensions.getOrCreateCertificateFromStore(String certificateName) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 422
at Indicium.StartupExtensions.getIdentityServerCertificate(IConfiguration configuration, ILogger logger) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 405
at Indicium.StartupExtensions.<>c__DisplayClass14_0.<addOpenIDServices>b__1() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 157
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location ---
at System.Lazy`1.CreateValue()
at Indicium.StartupExtensions.<>c__DisplayClass14_0.<addOpenIDServices>b__2() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 171
at Indicium.StartupExtensions.<>c__DisplayClass19_0.<addLazySigningCredential>b__0() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 460
at Indicium.LazySigningCredentialStore.GetSigningCredentialsAsync() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 490
at Duende.IdentityServer.Services.DefaultKeyMaterialService.GetSigningCredentialsAsync(IEnumerable`1 allowedAlgorithms) in /_/src/IdentityServer/Services/Default/DefaultKeyMaterialService.cs:line 53
at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateJwtAsync(Token token, String payload, Dictionary`2 headerElements) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 130
at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 76
at Duende.IdentityServer.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 254
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 438
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 335
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 95
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 133
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 106
2026-01-27T14:53:44.4912006+01:00 80000c72-0001-e800-b63f-84710c7967bb [ERR] An unhandled exception occurred while processing the request. (ffba027a)
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.X509Certificates.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at System.Security.Cryptography.X509Certificates.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at Indicium.StartupExtensions.generateCertificate(String certificateName) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 439
at Indicium.StartupExtensions.getOrCreateCertificateFromStore(String certificateName) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 422
at Indicium.StartupExtensions.getIdentityServerCertificate(IConfiguration configuration, ILogger logger) in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 405
at Indicium.StartupExtensions.<>c__DisplayClass14_0.<addOpenIDServices>b__1() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 157
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location ---
at System.Lazy`1.CreateValue()
at Indicium.StartupExtensions.<>c__DisplayClass14_0.<addOpenIDServices>b__2() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 171
at Indicium.StartupExtensions.<>c__DisplayClass19_0.<addLazySigningCredential>b__0() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 460
at Indicium.LazySigningCredentialStore.GetSigningCredentialsAsync() in C:\azp\agent\_work\1\s\src\Indicium\StartupExtensions.UserServices.cs:line 490
at Duende.IdentityServer.Services.DefaultKeyMaterialService.GetSigningCredentialsAsync(IEnumerable`1 allowedAlgorithms) in /_/src/IdentityServer/Services/Default/DefaultKeyMaterialService.cs:line 53
at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateJwtAsync(Token token, String payload, Dictionary`2 headerElements) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 130
at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 76
at Duende.IdentityServer.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 254
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 438
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 335
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 95
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 133
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 81
at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 106
at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 128
at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 95
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 51
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Indicium.Extensions.ApplicationBuilderExtensions.<>c.<<SameSiteOpenIDConnectInterceptor>b__0_0>d.MoveNext() in C:\azp\agent\_work\1\s\src\Indicium\Extensions\ApplicationBuilderExtensions.cs:line 57
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Indicium.Middleware.OpenId.RewriteOpenIdCallbackPathMiddleware.Invoke(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\OpenId\RewriteOpenIdCallbackPathMiddleware.cs:line 46
at Indicium.Middleware.Security.PreventUnsafeContentTypeMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\PreventUnsafeContentTypeMiddleware.cs:line 45
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Indicium.Middleware.Security.AuthenticationHeadersMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Authentication\AuthenticationHeadersMiddleware.cs:line 52
at Indicium.Middleware.Security.SecurityHeadersMiddleware.InvokeAsync(HttpContext context, ContentSecurityPolicyBuilder cspBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\SecurityHeadersMiddleware.cs:line 54
at Indicium.Middleware.Messages.TSFMessagesMiddleware.Invoke(HttpContext context, IRootApplicationLoader rootApplicationLoader, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Messages\TSFMessageMiddleware.cs:line 48
at Indicium.Middleware.Telemetry.ServerTimings.ServerTimingsMiddleware.InvokeAsync(HttpContext context, ServerTimingsBuilder serverTimingsBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Telemetry\ServerTimings\ServerTimingsMiddleware.cs:line 49
at Indicium.Middleware.ExceptionHandlingMiddleware.Invoke(HttpContext context, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\ExceptionHandlingMiddleware.cs:line 34What am I missing in here ?
