ACS giving 50017 error even when cert is issued by a trusted CA

Question

Hi,

 WE are trying to integrate with ACS using a custom STS. when the token is received by ACS, we are getting the error ACS 50017. "The certificate with subject XYZ; and issuer 'CN=Cybertrust SureServer Standard Validation CA, O=Cybertrust Inc' failed validation"

The certs are in correct order. In the metadata, I tried putting all of these in different X509Certificate fields under the same X509Data field. I am not sure of how to specify the chain in the metadata for ACS. does ACS have a limitation that it checks only 1 level above? Also these certs seem to be in correct chain since when I open them up on my windows system, I can see the chain correctly.

The root certificate is a public CA.

Here are the certs.

Signing cert:

MIIEQDCCAyigAwIBAgIOAgAAAAABN1Fn8MWv0WgwDQYJKoZIhvcNAQEFBQAwQDEX
MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxJTAjBgNVBAMTHEN5YmVydHJ1c3QgU3Vy
ZWNyZWRlbnRpYWwgQ0EwHhcNMTIwNTE1MTcwMjM2WhcNMTUwNTE1MTcwMjM2WjBX
MQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQW1lcmljYW4gRXhwcmVzczEUMBIGA1UE
AxMLRTMuYWV4cC5jb20xFzAVBgNVBAsMDlNTT0ZFRElOVFJBX0UzMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqVeaALMRe9686vZKnAu6y5oB/ciwLQLH
WypNPYzUfml+jC6hwFBqopNzPd6Sepm8HN15XT633mOgDs5lcSNUIbpqJt6dXKMK
o3GaCnkUwsCj06IiOw6cKoetYtUcBLNC9pQzAuqJ3/IA+GnTID7LrjLc0tL3GTur
GXoEnJt1aTFGs95WutEVVR5pVEsjJIURShRtYBwnCO4X3rXdVMlLzGaSe7b0Cnlo
2j27Iayu07PXi13Oxhv1Mfl09aq2KJH1myFfhb4BuHt4XY+Bwf4f86DtEmlxec8r
Mt6bghVI0qJcQvLU7Ww4bGC5ee+kjrZrU2tYroHdPlOvsdww4jgebwIDAQABo4IB
HzCCARswHwYDVR0jBBgwFoAUSUySC81KI7bOee6eVTNrWkTAApUwOwYDVR0fBDQw
MjAwoC6gLIYqaHR0cDovL2NybC5vbW5pcm9vdC5jb20vU3VyZUNyZWRlbnRpYWwu
Y3JsMB0GA1UdDgQWBBT7P0iEuFsvbbDPYZvyvS8zFtjqzTAPBgNVHRMBAf8EBTAD
AgEAMA4GA1UdDwEB/wQEAwIE8DARBglghkgBhvhCAQEEBAMCBaAwSQYIKwYBBQUH
AQEEPTA7MDkGCCsGAQUFBzAChi1odHRwOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS9z
dXJlY3JlZGVudGlhbC5jcnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MA0GCSqGSIb3DQEBBQUAA4IBAQCEmffS4QWTRmxHD7lVF2Lef9THRWHA2G62qfbj
nWhXCuVIGhPvqHWfDsveCPyYFTjY4ZfMm+KSRsb+4MIyVX1KPZpHpcIKwczGbtKz
KPwesikL6ypVoaTBRDjl2lErM9loWv44SB6nCTJyYTjAcCCBjY0pGW7cTGH80eSs
ZE5FJz5xmcLnFqe5XP2QEqHzdBeAkL8/xegHgTqHfa4mp2E81G/2vJKx9s2KVA0Q
3ojI6F8yehuq6URg3U5J30nNVfKWgtXexiT+qSVfWHebRsWj8Plmflabc/AinlGM
avpJK2u4mlP+XQDuyslI0NaSIoYbfzoH+K7Y3iCLcME08ByE

Intermediate CA cert:

MIIEIzCCA4ygAwIBAgIEBycUizANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA3MDUzMDE3NTY0OFoXDTE3MDUzMDE3NTYxN1owQDEXMBUG
A1UEChMOQ3liZXJ0cnVzdCBJbmMxJTAjBgNVBAMTHEN5YmVydHJ1c3QgU3VyZWNy
ZWRlbnRpYWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmQSjV
XEIoyR12SebT+bDXLV9ctV8P25o7GkTDJA8F7m2AR7HfEdzCBCLoxO8wdFgpmzwc
jpgkeC1XIuajhw0sOidsTuMZj5ahjalg21ylhFIyi5KoY51OumpXjqAPUkq4P7+Z
3zGLyS8Ckza0ESJJk/MXb14AqIeonm5oF4m/r981aRK1gI64P7pgkoqzvMTWWi76
W6YzTHo2tVQYXM6+njb9vmKNcldY8qaolWNRNWIVkOl/PMasvvCD+fBtZSaqm2LE
3rUNEYxhpWrhz93XOFVbbDT7FEjIRjnRtT6JbW3qGN+UwRZU0sO9tZnny60F5FPN
I6N8BO/B7/PgPrXPAgMBAAGjggFvMIIBazASBgNVHRMBAf8ECDAGAQH/AgEAMFMG
A1UdIARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJl
cnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAOBgNVHQ8BAf8EBAMC
AQYwgYkGA1UdIwSBgTB/oXmkdzB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RF
IENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMs
IEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290ggIBpTBF
BgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vY2dp
LWJpbi9DUkwvMjAxOC9jZHAuY3JsMB0GA1UdDgQWBBRJTJILzUojts557p5VM2ta
RMAClTANBgkqhkiG9w0BAQUFAAOBgQBweUqztRTn/CSAAsHqewbQXPQCzcjYklyJ
XjHuDT0kvEuZ2H9oKQ/9PFLVVAhs72Ifa7k9uumooewMcmeZt2d+qyCWx1k2Q2lN
R4C4neobVlTtvnJ+ET3ujwETwBGzAmMRvkXAFGACltBWHAqPsqaW3t89t7wXnF1i
/EtN22QiAA==

Root cert:

MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/

Thanks and Regards,

Kanduri

---

Thanks and Regards, Kanduri

Answer 1

Hi,

Can you make sure the certificate has been uploaded on ACS portal successfully? And please also check the certificate is in trusted root certification authority.

"Ensure that the certificate is either self-signed or that it chains to a trusted root certification authority. The certificate must also not be revoked and must be within its validity period."

From :

http://msdn.microsoft.com/en-us/library/windowsazure/gg185949.aspx

Hope this helps.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 2

Hi,

"Can you make sure the certificate has been uploaded on ACS portal successfully?" How can we do it. The only way I know is with the metadata of the IDP. We did that.  AFAIK, there is no place on the ACS portal where i can look at the certificate of the IDP. Is there anyway to look it up?

This a trusted root CA. And it is there in the browser.

Thanks and Regards,

Kanduri

---

Thanks and Regards, Kanduri