locked
[Metro style error Help]Certificate Error from WebAuth broker when a not trusted site is accessed

    Question

  • Dear all,

    Sorry to disturb you.

    I am writing a metro style application to access a "https://" website which is not a trusted site. 

    When it runs, the error "Error returned by WebAuth broker. Error Number: -2146762487 Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." is always returned.

    It seems that the certificate chain is already received from server to client. 

    It is said that we can modify manifest to add certificate, but I find it only supports to add static existed certificate file. Meanwhile, I have enabled "sharedUserCertificates".

    My questions are as below:

    How can I get the certficate file when I access a not trusted site?

    Are there any javascript APIs to give users a prompt to "Continue to this website (not recommended)." just as what showed in IE?

    Or are there any javascript APIs to handle the certificate which is transferred from a not trusted website?

    Thanks in advance.


    No pains, no gains.


    Friday, February 17, 2012 4:13 AM

Answers

All replies

  • Hi Super,

    Is this a public site I can test?  Do you get the same error when you access this from the same machine using Internet Explorer?

    -Jeff


    Jeff Sanders (MSFT)

    Friday, February 17, 2012 2:03 PM
    Moderator
  • Hi Jeff,
         Glad to hear from you. It's just an inner server which uses https. When I access it using IE, it will prompt  "continue or reject" as usual, and if "continue" is selected, it will be OK. So can webauth(javascript API) also call a prompt as IE? Thanks.

    Best regards,
    Vincent 

    No pains, no gains.

    Friday, February 17, 2012 4:33 PM
  • Hi Vincent,

    No a Metro style app must be able to validate the certificate for an HTTPS call.  Your best bet is to resolve the certificate error on the machines you intend to deploy this application to by addign the cert as a trusted root.  I assume this will not be an application deployed to the Windows app store of course.

    -Jeff


    Jeff Sanders (MSFT)

    Friday, February 17, 2012 6:53 PM
    Moderator
  • Hi Vincent,

    If this is the only server you want to hit and resolve the issue for, you do know you can use the static cert method you referenced in your initial email correct?

    http://msdn.microsoft.com/en-us/library/windows/apps/hh465019.aspx

    Why do you not want to do this?

    -Jeff


    Jeff Sanders (MSFT)

    Monday, February 20, 2012 1:03 PM
    Moderator
  • Hi Jeff,

       I just run metro style app in my computer, and post a request to a server "https://". The cert is got and handled by WebAuth broker, and I even don't where the cert is, how can I add it as a trusted root?

       Meanwhile, I don't know where the cert is , how can I use the static cert method, are there any APIs to get the cert got by WebAuth broker or install the cert? 

       I really appreciate your patient help.

    Best regards,

    Vincent


    No pains, no gains.

    Monday, February 20, 2012 4:16 PM
  • Hi Vincent,

    The begging of this blog entry has how to install a trusted root cert, this should help:

    http://blogs.msdn.com/b/jpsanders/archive/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx

    -Jeff


    Jeff Sanders (MSFT)

    Monday, February 20, 2012 4:20 PM
    Moderator
  • Hi Jeff,

        What I do is a metro style project not in IE, and the process to install a trusted root cert above is manual work, which will affect user experience. I post a request to untrusted "https://" in the application, when it runs, I hope that a prompt will be showed, and if users click "continue", the cert will be installed.  Is it feasible? 

    Best regards,

    Vincent


    No pains, no gains.

    Monday, February 20, 2012 4:35 PM
  • No it is not possible.  I was trying to provide you some workarounds.

    -Jeff


    Jeff Sanders (MSFT)

    Monday, February 20, 2012 4:47 PM
    Moderator
  • Hi Jeff,

    In IE, it will prompt "Continue to this website (not recommended)." when a untrusted "https://" is accessed. Can we also call this API or similar API in metro style application to prompt "Continue to this website (not recommended)." ?

    Is manually install cert is the only way to make metro style access untrusted "https://" successful?

    Best regards,

    Vincent



    No pains, no gains.

    Monday, February 20, 2012 4:58 PM
  • Hi Vincent,

    No.

    -Jeff


    Jeff Sanders (MSFT)

    Monday, February 20, 2012 5:04 PM
    Moderator