none
How to resolve the error @Passive client: The X.509 certificate CN=Geneva Signing Certificate is not in the trusted people store

    Question

  • I am working with the WCF sample "C:\Program Files\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Using Managed STS\ClaimsAwareWebAppWithManagedSTS".

    At the passive client side I am getting the following error...

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [SecurityTokenValidationException: The X.509 certificate CN=Geneva Signing Certificate is not in the trusted people store. The X.509 certificate CN=Geneva Signing Certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
    ]
    System.IdentityModel.Selectors.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate) +178
    Microsoft.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate) +73
    Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +385

    [SecurityTokenValidationException: ID4257: X.509 certificate 'CN=Geneva Signing Certificate' validation failed by the token handler.]
    Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +495
    Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +86
    Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +98
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +406
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +268
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +102
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


    Since this is not a product environment I am using the certificate that gets generated by Geneva Initial configuration wizard. The error states that I can "change the certificateValidationMode".

    Can someone please guide me on how that can be done to resolve this issue?

    Thanks!!
    Tuesday, January 12, 2010 6:19 AM

Answers

  • I was able to resolve this issue.

    All I had to do was disable the certificate validation. That can be achieved by adding the below mentioned element in the "web.config" file of my website...

    <microsoft.identityModel>
      <service>
        <certificateValidation certificateValidationMode="None">
      </service>
    </microsoft.identityModel>


    The way I could find out the hierarchy of the XML elements of the microsoft.identityModel was by looking at the XSD located at "C:\Program Files\Windows Identity Foundation SDK\v3.5\Windows.Identity.Foundation.Config.xsd".

    The help file was not much help in this area.
    If the WIF team is looking at this thread... I'm sure you guys are working on improving the documentation. Good luck!!
    • Marked as answer by ajay_g_m Tuesday, January 12, 2010 7:26 AM
    Tuesday, January 12, 2010 7:26 AM

All replies

  • I was able to resolve this issue.

    All I had to do was disable the certificate validation. That can be achieved by adding the below mentioned element in the "web.config" file of my website...

    <microsoft.identityModel>
      <service>
        <certificateValidation certificateValidationMode="None">
      </service>
    </microsoft.identityModel>


    The way I could find out the hierarchy of the XML elements of the microsoft.identityModel was by looking at the XSD located at "C:\Program Files\Windows Identity Foundation SDK\v3.5\Windows.Identity.Foundation.Config.xsd".

    The help file was not much help in this area.
    If the WIF team is looking at this thread... I'm sure you guys are working on improving the documentation. Good luck!!
    • Marked as answer by ajay_g_m Tuesday, January 12, 2010 7:26 AM
    Tuesday, January 12, 2010 7:26 AM
  • The SDK also includes Windows.Identity.Foundation.Config.xml in the same location, which gives examples of configuration elements and the meaning of the parameters. Visual Studio Intellisense should interpret the XSD to help with the basic structure.

    Thanks for your feedback... I'll pass it on to the docs team.

    Wednesday, January 13, 2010 6:35 AM
    Moderator
  • Thanks for pointing me towards the sample file. It does has some amount of documentation in it.

    I'm using VS2010 beta 2 but it does not show any Intellisense for the element "<microsoft.identityModel>" and its children.
    Wednesday, January 13, 2010 7:11 AM
  • You should add microsoft.identityModel in <configSections> tag.

    <configSections>
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

    .....

     </configSections>

    Thursday, May 31, 2012 2:54 AM
  • Thank you this really helps me
    Thursday, September 04, 2014 11:03 AM