After successful runtime operation for several months, all of a sudden the Duet Enterprise 2.0 scenarios in our demo landscape suffered from a structural fatal error: 'Exception in invoking the ODataExtensionProvider of type 'OBA.Server.Canary.ObaOdataServerExtensionProvider'.
The SharePoint ULS log contains a.o. entries pointing to issue with Security Cryptography. My immediate suspicion was that it has something to do with the Duet Enterprise 2.0 root certificate; somehow it became invalid? I increased the SharePoint diagnosing logging for Duet Enterprise, and reran one of the faulty scenarios. Now the ULS log contained the following: 'Exception happens during user certificate generation, exception - The specified X.509 certificate does not have the required private key'. So my suspicion seems valid.
As 1st attempt to recover, I applied the approach suggested on Microsoft Support for this kind of Certificate error: certutil -repairstore
But afterwards, issue is not resolved.
As 2nd attempt, I re-executed the ‘DuetConfig.exe –ConfigureRootCertificate’ command. But still no success.
I then inspected the Duet Enterprise 2.0 code, in particular class ‘ObaOdataServerExtensionProvider’ and the Duet Enterprise Single Sign-On classes that are involved in the context of this provider. I noticed that the Duet Enterprise code applies a runtime cache for the retrieved Duet Enterprise RootCertificate. So the Certificate repair(s) might yet have been missed in the running wp.exe proces. And indeed, after recycle of the App Pool, the repair takes effect and the Duet Enterprise Single Sign-On issue is resolved!
Note:
An additional required step after ‘DuetConfig.exe –ConfigureRootCertificate’, is that you assign the App Pool account of the SharePoint web application as member for the 'DuetApp' Application Id in Secure Store.
