WS-Federation authentication with Certificate chain validation.

Hello,

Has anyone encountered this error when configuring WS-Federation authentication with Azure? This error appears whenever I check Certificate chain validation.

The X.509 certificate CN=accounts.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Parents
  • I haven't experienced the issue in Active Roles Azure setup, but for sure I've had cert chains fail due to intermediate certs being expired or revoked.   The answer is there - replace the cert or skip the validation.  Typically, if an intermediate cert expires or is revoked, the CA can re-sign the cert from a trusted CA to re-establish the trusted chain of authority.  So it will likely still be the same cert in terms of crypto keys, etc., but with additional CA signatures on it.  

  • Good morning,

    Thank you for your reply.

    I unchecked the option, it is working normally, it is the third client that I have configured and left unchecked.

    I was unable to identify which certificate it is complaining about. Is the ARS certificate valid, are the certificates in the chain valid too, or would it be another certificate?

Reply
  • Good morning,

    Thank you for your reply.

    I unchecked the option, it is working normally, it is the third client that I have configured and left unchecked.

    I was unable to identify which certificate it is complaining about. Is the ARS certificate valid, are the certificates in the chain valid too, or would it be another certificate?

Children
No Data