C# OpenCSP失败，错误代码为2148073494

当我们的Azure应用程序服务被移动到应用程序服务环境时，我们开始看到此异常间歇性发生。我们使用的是Identity Server 4，在令牌签名期间发生异常。这可以在下面的调用堆栈中看到

签名证书从未保存到证书存储，它是作为字节数组从数据库加载的：

new X509Certificate2(rawData, password,
                    X509KeyStorageFlags.MachineKeySet |
                    X509KeyStorageFlags.PersistKeySet);

这些参考文献似乎是同一个问题：

编辑： 起初我们认为这是Azure中应用程序服务Env特有的东西，但现在我们在标准应用程序服务中看到了例外。作为测试，我们创建了一个Azure web作业，该作业从字节数组加载证书并创建JWT令牌（需要私钥进行签名）。这就纠正了错误。另外值得注意的是，当某些标志被传递到

X509Certificate2

ctor（例如

x509keystargeflags.UserKeySet

）时，Azure Web作业甚至不会运行

堆栈跟踪每次都相同：

System.Security.Cryptography.CryptographicException:
   at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
   at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__59_0(CspParameters csp)
   at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
   at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
   at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_HasPrivateKey()
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.HasPrivateKey(SecurityKey key)
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
   at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
   at IdentityServer4.Services.DefaultTokenCreationService.<CreateTokenAsync>d__3.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Services.DefaultTokenService.<CreateSecurityTokenAsync>d__9.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at IdentityServer4.ResponseHandling.TokenResponseGenerator.<CreateAccessTokenAsync>d__10.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessTokenRequestAsync>d__8.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.ResponseHandling.TokenResponseGenerator.<ProcessAsync>d__6.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Endpoints.TokenEndpoint.<ProcessTokenRequestAsync>d__6.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Endpoints.TokenEndpoint.<ProcessAsync>d__5.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.IdentityServerMiddleware.<Invoke>d__3.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.FederatedSignOutMiddleware.<Invoke>d__6.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.AuthenticationMiddleware.<Invoke>d__2.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>d__7.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at IdentityServer4.Hosting.BaseUrlMiddleware.<Invoke>d__2.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.ApplicationInsights.AspNetCore.ExceptionTrackingMiddleware.<Invoke>d__4.MoveNext()

System.Security.Cryptography.Cryptography异常：
位于Internal.NativeCrypto.CapiHelper.CreateProvHandle（CspParameters参数，布尔随机键容器）
在System.Security.Cryptography.rsacyptoServiceProvider.get_SafeProvHandle（）中
在System.Security.Cryptography.rsacyptoServiceProvider.get_SafeKeyHandle（）上
在System.Security.Cryptography.RSACryptoServiceProvider..ctor（Int32密钥大小、CspParameters参数、布尔useDefaultKeySize）
at System.Security.Cryptography.RSACryptoServiceProvider..ctor（CSPSParameters）
在内部.Cryptography.Pal.CertificatePal.c.b_u59_u0（csp参数）
在Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T]（Func`2 createCsp，Func`2 createCng）
在Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey（）中
在Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T]（X509Certificate2证书，谓词'1匹配约束）
在Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey（）上
在Microsoft.IdentityModel.Tokens.X509SecurityKey.get_HasPrivateKey（）上
位于Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.HasPrivateKey（SecurityKey）
位于Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor（SecurityKey、字符串算法、布尔willCreateSignatures）
位于Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider（安全密钥、字符串算法、布尔willCreateSignatures）
位于Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning（SecurityKey，字符串算法）
位于System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature（字符串输入，签名凭证签名凭证）
位于System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken（SecurityToken令牌）
在IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync（JWTSecurityTokenJWT）
在IdentityServer4.Services.DefaultTokenCreationService.d_u3.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Services.DefaultTokenService.d_u9.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd（任务任务）
at IdentityServer4.ResponseHandling.TokenResponseGenerator.d__10.MoveNext（）
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
at IdentityServer4.ResponseHandling.TokenResponseGenerator.d__8.MoveNext（）
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
at IdentityServer4.ResponseHandling.TokenResponseGenerator.d__6.MoveNext（）
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Endpoints.TokenEndpoint.d_u6.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Endpoints.TokenEndpoint.d_u5.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Hosting.IdentityServerMiddleware.d_u3.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Hosting.FederatedSignOutMiddleware.d_u6.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在IdentityServer4.Hosting.AuthenticationMiddleware.d_u2.MoveNext（）处
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中
在System.Runtime.CompilerServices.TaskAwaiter.GetResult（）中
在Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.d_u18.MoveNext（）中
在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw（）中
在Microsoft.AspNetCore.Authentication.AuthenticationMiddleware`1.d_u18.MoveNext（）中
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess（任务任务）
在System.Runtime.CompilerServices.TaskWaiter.HandleNonSuccessAndDebuggerNotification（任务任务）中