Wednesday, August 01, 2012 4:13 PM
We have a web app which 'delegates' it's authentication to a third party portal.
Users log into the portal, select our application from among a list of applications.
Recently, a customer complained that she could no longer log in. The error log revealed that nobody was getting in, and everyone was generating this exception text:
... usage time is invalid. The usage time '8/1/2012 7:56:38
AM' does not fall between NotBefore time '7/27/2011 5:00:00 PM' and NotAfter
time '7/27/2012 4:59:59 PM'. ...
(The last successful login of the customer corresponded to the expiration date of the issuer's certificate.)
So, I contacted the third party, and got the new thumbprint, and entered it the web.config of the application.
However, customers still can't get in. What else is there that has to be done?
In this scenario, where the customer first goes to a portal, and is linked to the web application (rather than typically, where the customer gets to the app first, and gets redirected to, and back from, the STS), what is the sequence of interchanges that happen between the rp and the ip/sts? Who is decrypting what, and with what bits? I don't recall ever having to import their certificate, or their public key; it seems to me all that has ever been needed is the thumbprint of the sts' cert?
Am I missing something?
thanks in advance
david m chinn
Wednesday, August 01, 2012 10:25 PM
This might be a dumb question, but is your server time and date set correctly?
Developer Security MVP | www.syfuhs.net
Thursday, August 02, 2012 5:00 PM
well, yes it was.
but the problem was found on the portal side. apparently they had to put the new thumbprint somewhere as well.
However, i'm still curious regarding the back an forth between the rp and the sts.
The only thing the rp web.config knows about the sts from the portal is the thumbprint. No other information about the portal is kept on the rp side.
When the portal authenticates a user, the only thing that the sts sends over is the encrypted saml token containing the user name and roles.
Does the framework on the rp side go fetch the public key from the sts? If so, does it get cached somewhere?
One post I saw talked about removing and re-adding the sts through fedUtil. What does that do? is there something other than the thumbprint that has to be adjusted on the rp side?
thanks in advance
- Edited by dmc_lat47 Thursday, August 02, 2012 5:01 PM