0
votes

I have a asp.net website that uses ADFS authentication for users to access the site.

I have configured the website in ADFS & web.config changes as per the configuration received from RP.

When I type the url, it is redirected to ADFS website where I put the valid credentials. Tokens are issues from ADFS (I checked the logs). But, upon redirected to my website I see an exception like below.

The X.509 certificate CN=staging.companynet.com, O=Company, L=Issy-Les-Moulineaux, S=Ile-de-France, C=FR is not in the trusted people store. The X.509 certificate CN=staging.companynet.com, O=Company, L=Issy-Les-Moulineaux, S=Ile-de-France, C=FR chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

Some more information in exception details:

The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

[SecurityTokenValidationException: ID4257: X.509 certificate 'CN=staging.companynet.com, O=Company, L=Issy-Les-Moulineaux, S=Ile-de-France, C=FR' validation failed by the token handler.]
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1584
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +127
   Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +147
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +508
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +323
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +93

The certificate is already installed in "Trusted Root Certification Authorities". I have configured the same website on another server environment & its working fine. The only difference I see is when I open the certificate on new server, On first tab I see a note saying "Windows does not have enough information to verify this certificate" while on the other server it shows "The certificate is intended for the following purpose....." Other difference is, on "Certification Path" tab, it shows - "The issuer of this certificate could not be found." where on other server it shows - "The certificate is ok" Could that be the reason behind this error? How I can resolve it.

1

1 Answers

0
votes

It turned out that the server had restricted network access. Under certificate details tab, Authority Info Access has url mentioned as Access Method. I unblocked the mentioned URL on the server & the certification path started showing the certificate is valid. Error was removed after this.