Where do I get the thumbprint value for IssuerNameRegistry for WIF in AppFabric Labs?

Question

I'm attempting to log in using a slightly modified version of the ASP.NET MVC sample

(available for download here http://acs.codeplex.com/wikipage?title=ASP.NET%20Simple%20MVC&referringTitle=Samples)

I made a change to include a custom token signing and custom token encryption certificate.

When I log in using Gmail, yahoo, or LiveID I get the following error:

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

My web config has this:

      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">

        <trustedIssuers>

          <add thumbprint="6F49D82D97FD2F498ECC85F1BCFFC46E7D3C8F7D" name="https://agent7.accesscontrol.appfabriclabs.com" />

        </trustedIssuers>

My Federation document is here:

https://agent7.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml

Question:

 Since I think the issue is with the thumbprint or name of the trusted issuer, what do I set it do, and how do I derive the correct values?

Answer 1

I think that the problem is that you forgot to regenerate STS reference.....everetime you change something in access control, you need to renew STS reference :-) Maybe there is problem :-)

Answer 2

I tried that and it still won't work...

 

How does the tool get the certificate?  Perhaps because I'm using a custom cert in the labs environment is causing this?

Answer 3

I was able to get this working by setting the "signing certificate" back to default.  It seems that for some reason even though I had a custom signing cert for this endpoint, Fedutil wasn't able to detect it... and instead used the server default.

 

This is a problem for me since I'm trying to merge the "WCF Certificate Authentication" and the ASP.NET Simple MVC: samples.  

This leaves me with two similar questions:

1) How to I get Fedutil to see the new signing certificate for use within MVC?

2) or, How do I extract the signing certificate used in "agent7.fabriclabs..." for use within WCF?

 

I'm very close, but need help going the last mile.

Answer 4

Do you solve your problem yet? I am sorry I forgot to create alert at this thread :-/

---

Windows Azure Teamleader Cloudikka blog

Answer 5

My solution to this was to implement a custom IssuerNameRegistry class:

public class X509IssuerNameRegistry : IssuerNameRegistry
    {
        public List<X509Certificate2> TrustedCertificates { get; private set; }


        public X509IssuerNameRegistry(params X509Certificate2[] trustedCertificates)
        {
            this.TrustedCertificates = new List<X509Certificate2>(trustedCertificates);
        }

        public override string GetIssuerName(SecurityToken securityToken)
        {
            X509SecurityToken x509Token = securityToken as X509SecurityToken;
            if (x509Token != null)
            {
                //
                // Check the list of trusted/permissible issuers
                //
                bool issuerTrusted = (from trusted in this.TrustedCertificates
                                      where trusted.Thumbprint == x509Token.Certificate.Thumbprint &&
                                      trusted.SubjectName.Name == x509Token.Certificate.SubjectName.Name
                                      select trusted).Count() > 0;

                if (issuerTrusted)
                {
                    return x509Token.Certificate.SubjectName.Name;
                }
            }

            //
            // Complain in all other situations.
            //
            throw new SecurityTokenException("Untrusted issuer.");
        }
    }

This implementation takes an array of X509Certificate2 objects and stores them as trusted issuer certificates. It then overrides GetIssuerName so that when WIF is validating a token it will call this method. The method simply checks that the token's signing certificate thumbprint and SubjectName match with one of the trusted certificates.

This implementation won't work from configuration (probably could with some tweaks though) so you'll need to set it up in code:

ServiceHost rpHost = new ServiceHost(typeof(YourService));

ServiceConfiguration serviceConfiguration = new ServiceConfiguration();

// Accept ACS signing certificate as Issuer.
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry(GetSigningCertificate());

FederatedServiceCredentials.ConfigureServiceHost(rpHost, serviceConfiguration);

GetSigningCertificate() will simply load the certificate that you generated and uploaded to Azure for signing. You could get it from the Certificate Store or you can export it to a file and load it from a file path.

Answer 6

@El Neilios - thanks for the above this was exactly what I needed in my implementation