WS-Federation authentication with Certificate chain validation.

Hello,

Has anyone encountered this error when configuring WS-Federation authentication with Azure? This error appears whenever I check Certificate chain validation.

The X.509 certificate CN=accounts.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

  • I haven't experienced the issue in Active Roles Azure setup, but for sure I've had cert chains fail due to intermediate certs being expired or revoked.   The answer is there - replace the cert or skip the validation.  Typically, if an intermediate cert expires or is revoked, the CA can re-sign the cert from a trusted CA to re-establish the trusted chain of authority.  So it will likely still be the same cert in terms of crypto keys, etc., but with additional CA signatures on it.  

  • I haven't experienced the issue in Active Roles Azure setup, but for sure I've had cert chains fail due to intermediate certs being expired or revoked.   The answer is there - replace the cert or skip the validation.  Typically, if an intermediate cert expires or is revoked, the CA can re-sign the cert from a trusted CA to re-establish the trusted chain of authority.  So it will likely still be the same cert in terms of crypto keys, etc., but with additional CA signatures on it.  

  • Good morning,

    Thank you for your reply.

    I unchecked the option, it is working normally, it is the third client that I have configured and left unchecked.

    I was unable to identify which certificate it is complaining about. Is the ARS certificate valid, are the certificates in the chain valid too, or would it be another certificate?