SharePoint 2010 Error The Signature of the certificate cannot be verified

0
votes

My client wants the SharePoint web application to be authenticated using SiteMinder Claims based STS Web Service agent. When the web app started and authentication provider is selected web app will redirect to a login page and over the correct credentials it should redirect back to the site. What is happening is over the correct credentials the SharePoint web application returns with the following error:

Any clue what might be the reason? I am happy to assist if additional information is required.

NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.

Exception Details:

System.IdentityModel.Tokens.SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.] Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +181 Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +260 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +520

[SecurityTokenValidationException: ID4257: X.509 certificate '[email protected], CN=certName, OU=WHQ, O=CSC, L=Chantilly, S=Virigina, C=US' validation failed by the token handler.] Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1358733 Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099702 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

1
sharepointx509certificateclaims-based-identitysiteminder
To rule out a possible conflict with a Microsoft patch, what size key are you using in your certificate? - gtrig
Hi @gtrig seems that is the the issue. Key size of the certificate is 512 and certificate is provided by the client. The same solution works in the Windows 7 environment but not in Windows Server 2008 R2 environment. Any workaround (reg edit or etc) to make this certificate work ? Thanks for the support ! - Randi Ratnayake
Hi @Randy, the "right" solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended). If things are working in the Win 7 environment, it's probably because that patch hasn't been applied yet. If you absolutely can't have the cert recreated at this time, there are some instructions for modifying the registry on this MS support page. It only mentions Win 8 and Windows Server 2012, so it may not work for your situation. And it comes with a warning that it is not a long term secure solution. - gtrig
Hi @gtrig with your previous comment you tipped me off the real issue. I dig in to the problem and found a workaround. I will post the complete solution in a separate thread. I agree with you. Messing around with registry will not be a recommended approach. However it did the work for me. I have informed my client regarding this issue and I may get a new certificate. Meantime I should say Thank you very much for the great help. - Randi Ratnayake

1 Answers

1
votes

Solution Time!

Special Thanks for @gtrig for tipping me off the real issue behind the error.

Why the Error

The error cause as a result of a Microsoft security patch (KB2661254) adding a restriction to certificate validation. This patch requires the certificate RSA key to be greater than or equal to 1024bits. The given siteminder.cer contains a 512bits RSA key. The following link would explain the issue in detail.

http://blogs.technet.com/b/rmilne/archive/2012/09/03/important-upcoming-certificate-changes.aspx

The solution in detail is here. http://support.microsoft.com/kb/2661254

But for me only adding the following regedit key did the trick. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

minRSAPubKeyBitLength : Decimal 512

To apply this registry modification open command prompt (Make sure the user has admin privileges, else start command prompt Administrator mode) and execute

certutil -setreg chain\minRSAPubKeyBitLength 512

However I would recommend reading through the entire solution from the above link in depth to find unique solution.

Important: This is not recommended approach in a client environment as this may possibly compromise the security of the server environment.

Recommended solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended)