[Bug] Inconsistent exceptions when signing the client assertion

[pmaytak]

Library version used

4.50.0

.NET version

NetFx, NET 6

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

None

Issue description and reproduction steps

A WindowsCryptographicException is thrown sometimes when an assertion is signed in the crypto manager. The error internally seems to come from the RSA key. Retrying the request doesn't usually help since the key seems to stay in the faulted state.

microsoft-authentication-library-for-dotnet/src/client/Microsoft.Identity.Client/PlatformsCommon/Shared/CommonCryptographyManager.cs

Line 70 in 9029e1c

var signedData = rsa.SignData(Encoding.UTF8.GetBytes(message), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The RPC call contains a handle that differs from the declared handle type.
at System.Security.Cryptography.CngKey.get_KeySize()
at Internal.Cryptography.CngAlgorithmCore.GetOrGenerateKey(Int32 keySize, CngAlgorithm algorithm)
at System.Security.Cryptography.RSACng.get_Key()
at System.Security.Cryptography.RSACng.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
at System.Security.Cryptography.RSA.SignData(Byte[] data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
at System.Security.Cryptography.RSA.SignData(Byte[] data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
at Microsoft.Identity.Client.PlatformsCommon.Shared.CommonCryptographyManager.SignWithCertificate(String message, X509Certificate2 certificate)
at Microsoft.Identity.Client.Internal.JsonWebToken.Sign(X509Certificate2 certificate, String base64EncodedThumbprint, Boolean sendX5C)
at Microsoft.Identity.Client.Internal.ClientCredential.CertificateAndClaimsClientCredential.AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, String clientId, String tokenEndpoint, Boolean sendX5C, CancellationToken cancellationToken)
at Microsoft.Identity.Client.OAuth2.TokenClient.AddBodyParamsAndHeadersAsync(IDictionary`2 additionalBodyParameters, String scopes, CancellationToken cancellationToken)
at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)

WindowsCryptographicException: The remote procedure call failed and did not execute
// same stack trace as above

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

• Upgrade to newer .NET frameworks (seems to be more stable)
• Restart the application.