Oleksandr Pshenychnyy Oleksandr Pshenychnyy - 1 month ago 17
C# Question

ADFS token encryption certificate chain validation fails

I have ASP.NET MVC web site which I configured to authenticate through Active Directory Federation Service. Everything worked fine until I tried to enable token encryption. As usual, I created one more self-signed certificate on IIS, added it to Trusted Root authorities on my web server and ADFS server and run application to veryfy how it works.

My application correctly redirected me to ADFS service page to enter credentials. But when I submit my login and password, I immediately get "

An error occured
" message on the same login page with not very useful details section:

Activity ID: 00000000-0000-0000-b039-0080010000e4
Relying party: [My relying party name]
Error time: Fri, 21 Oct 2016 18:48:24 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36


I don't get redirected to my web site after that and Network panel doesn't contain any requests.

But I discovered, that if I add the following setting into my web site's web.config, it starts working again:

<certificateValidation certificateValidationMode="None" />


So the error must be related to the fact that my certificate is self-signed. But I have added it to trusted root authorities both on web server and ADFS server (as well as few other "suspicious" certificates).

Does anybody have an idea what could be missing and what can I do to make my test environment work with self-signed certificates, while validating certificate chain?

Answer

It appeared that to resolve an error it was enough to add ADFS Token Signing certificate as Trusted Root Certification Authority on my web server.

PS: I'm not sure why token signing certificate chain validation didn't raise errors when encryption was disabled and what relation does it have to encryption at all, but the fact is that it helped for both environments we've used for testing.