Authentication on Azure - "Certificate not in Trusted Peoples Store"

Apr 12, 2012 at 4:58 PM
Edited Apr 20, 2012 at 10:47 AM

Hi there,

I'm having real trouble getting the authentication to work when hosting the portal on Azure. Although you can see Windows Live as an option to sign in, the following error occurs when you click "log in":

 

The X.509 certificate CN=xxxxxxxxxxxx.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=xxxxxxxxxxxx.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Stack Trace:

[SecurityTokenValidationException: The X.509 certificate CN=xxxxxxxxxxxx.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=xxxxxxxxxxxx.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
]
   System.IdentityModel.Selectors.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate) +958412
   Microsoft.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate) +275
   Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) +472
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +117
   Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetClaimsPrincipal(WSFederationAuthenticationModule fam, HttpContext context) +218
   Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetSessionSecurityToken(WSFederationAuthenticationModule fam, HttpContext context, String& identityProvider, String& userName, String& email, String& displayName, String emailClaimType, String displayNameClaimType, String identityProviderClaimType) +150
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.GetSessionSecurityToken(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext, String& identityProvider, String& userName, String& email, String& displayName) +288
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext) +199
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam) +120
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +530

[FederationAuthenticationException: Federated sign-in error.]
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +1204
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

 

I can't seem to find anything in the documentation that mentions anything about this, so i'm not sure if I have done something completely wrong or if there is a step not mentioned. I can see the mentioned certificate in the Azure portal, but can't see anything about trusted peoples store.

Any help on this would be greatly appreciated :)

 

Pete

Apr 20, 2012 at 7:14 AM
Edited Apr 20, 2012 at 7:15 AM

Hi Pete,

Same thing here...keen to know what the resolution was if you got yours sorted!

Cheers, John

The X.509 certificate CN=xxxxxxx.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=xxxxxxx.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

[SecurityTokenValidationException: The X.509 certificate CN=xxxxxxxx.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=xxxxxxx.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


Apr 23, 2012 at 1:17 AM

Here I go answering my own question.

I had omitted the step on the top of page 6 of the Portal Configuration Guide - Windows Azure ACS Authentication.doc document to include in my portal solution web.config,  Problem solved!

<certificateValidation certificateValidationMode="None"/> 

Apr 23, 2012 at 10:47 AM

I did the same, been stuck on this problem for ages and it's all down to one line of code! :)