Hosted App server using different key exchange as SharePoint Server

We have had some authentication issues on a test farm for some time now and I’ve finally gotten the bandwidth and support from senior team members to drill into the issue. I opened the site while monitoring with F12 and the Security tab in Chrome. The following was showing for the 2 sites (hosted and SP):

Hosted App Server
TLS 1.2
Key exchange: RSA
Cipher: AES_256_GCM

SharePoint Site
TLS 1.2
Key exchange: ECDHE_RSA
Key exchange group: P-256
Cipher: AES_256_CBC with HMAC-SHA1

The error that is being returned when we attempt to update a SharePOint record from the hosted app’s API calls is ‘error: invalid provider type specified

When approving a task in the ootb sharepoint views no error is returned. When approving a task using the hosted app webpart we receive the error.

It appears that the hosted app’s key exchange and cipher are not shared by the sharepoint servers. Both servers are suing the same cipher suites. They both have enabled th ecipher suite ordering.

I searched both server CS collections for “AES_256_CBC with HMAC-SHA1” and did not find it in either place. THoughts? I searched th WFE and the hosted AAPP servers for this value.

Shouldn’t this show up in the suites on the server if chrome says it is using it?

This code works on our production farm.

Here is the stacktrace:
Sources: mscorlib StackTraces: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey) at Microsoft.IdentityModel.S2S.Tokens.X509AsymmetricSignaturePro vider..ctor(X509AsymmetricSecurityKey x509Key) at Microsoft.IdentityModel.S2S.Tokens.SignatureProvider.Create(SigningCredentials signingCredentials) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.Sign(String signingInput, SigningCredentials signingCredentials) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.WriteTokenAsString(SecurityToken token) at eInvoiceAppWeb.TokenHelper.IssueToken(String sourceApplication, String issuerApplication, String sourceRealm, String targetApplication, String targetRealm, String targetApplicationHostName, Boolean trustedForDelegation, IEnumerable1 claims, Boolean appOnly) in <path to>TokenHelper.cs:line 865 at eInvoiceAppWeb.TokenHelper.GetS2SAccessTokenWithClaims(String targetApplicationHostName, String targetRealm, IEnumerable1 claims) in TokenHelper.cs:line 805 at eInvoiceAppWeb.TokenHelper.GetS2SClientContextWithWindowsIdentity(Uri targetApplicationUri, WindowsIdentity identity) in TokenHelper.cs:line 602 at eInvoiceAppWeb.Models.TaskWebService.ApproveFlexiTasks(ApproveTasksDto approveTasksDto) in Mod elsTaskWebService.cs:line 38 at eInvoiceAppWeb.Controllers.TaskServiceController.ApproveWorkflowTasks(ApproveTasksDto data) in TaskServiceController.cs:line 861