Dynamics AX 2012: Some problems with setting up Form Authentication for Enterprise Portal

Lately we run into two issues while setting up Form authentication for Dynamics AX 2012 Enterprise Portal.

We could go into Enterprise Portal and we select Form based authentication provider, after that we specify the user and password. After clicking sign in we get immediately SharePoint error "An unexpected error has occurred."

In event log we could see following error:

Cannot open database "aspnetdb" requested by the login. The login failed.
Login failed for user CONTOSO\bcproxy'.System.Data.SqlClient.SqlException
   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

 The issue happens when we run command

$Cred = Get-Credential -  here I used bcproxy accountAdd-AXSharepointClaimsAuthenticationProvider -Type Forms -Name FormsAuth -SigningCertificate $SigningCert -Credential $Cred -Port 7000 -SSLCertificate $SSLCert

 with account which is not local admin on machine. The Form based provider web application will be created with application pool which run as contoso\bcproxy user. And this user needs to have access to aspnetdb to authenticate form user.

The solution to this problem is to CONTOSO\bcproxy user as login to aspnetdb. We can give him db_owner role for database or db_datareader + db_datawrite + execute permission for all aspnet_* stored procedure in dbo schema.

After we went through login to database problem, we got new error in event log:

Keyset does not exist
System.Security.Cryptography.CryptographicException
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean

 This problem was a little more complicated as error is not straight forward.

The issue is that the provider after authenticating user is unable to sign the claims correctly because again application pool account does not have access to private key. To solve the problem:

1. Open mmc
2. Open Certificates (Local computer)
3. Go to Personal > Certificates
4. Select certificate created for signing (the one created with makecert.exe tool)
5. Right click on this certificate select All tasks > Manage Private Keys
6. Add you bcproxy account (the account which is running DynamicsFormsSTS –machinename.domain.com) – give the account Full control and Read
7. Restart IIS

After above actions our Form Based authentication should work correctly with Enterprise Portal