The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
ACS giving 50017 error even when cert is issued by a trusted CA RRS feed

  • Question

  • Hi,

     WE are trying to integrate with ACS using a custom STS. when the token is received by ACS, we are getting the error ACS 50017. "The certificate with subject XYZ; and issuer 'CN=Cybertrust SureServer Standard Validation CA, O=Cybertrust Inc' failed validation"

    The certs are in correct order. In the metadata, I tried putting all of these in different X509Certificate fields under the same X509Data field. I am not sure of how to specify the chain in the metadata for ACS. does ACS have a limitation that it checks only 1 level above? Also these certs seem to be in correct chain since when I open them up on my windows system, I can see the chain correctly.

    The root certificate is a public CA.

    Here are the certs.

    Signing cert:

    MIIEQDCCAyigAwIBAgIOAgAAAAABN1Fn8MWv0WgwDQYJKoZIhvcNAQEFBQAwQDEX
    MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxJTAjBgNVBAMTHEN5YmVydHJ1c3QgU3Vy
    ZWNyZWRlbnRpYWwgQ0EwHhcNMTIwNTE1MTcwMjM2WhcNMTUwNTE1MTcwMjM2WjBX
    MQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQW1lcmljYW4gRXhwcmVzczEUMBIGA1UE
    AxMLRTMuYWV4cC5jb20xFzAVBgNVBAsMDlNTT0ZFRElOVFJBX0UzMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqVeaALMRe9686vZKnAu6y5oB/ciwLQLH
    WypNPYzUfml+jC6hwFBqopNzPd6Sepm8HN15XT633mOgDs5lcSNUIbpqJt6dXKMK
    o3GaCnkUwsCj06IiOw6cKoetYtUcBLNC9pQzAuqJ3/IA+GnTID7LrjLc0tL3GTur
    GXoEnJt1aTFGs95WutEVVR5pVEsjJIURShRtYBwnCO4X3rXdVMlLzGaSe7b0Cnlo
    2j27Iayu07PXi13Oxhv1Mfl09aq2KJH1myFfhb4BuHt4XY+Bwf4f86DtEmlxec8r
    Mt6bghVI0qJcQvLU7Ww4bGC5ee+kjrZrU2tYroHdPlOvsdww4jgebwIDAQABo4IB
    HzCCARswHwYDVR0jBBgwFoAUSUySC81KI7bOee6eVTNrWkTAApUwOwYDVR0fBDQw
    MjAwoC6gLIYqaHR0cDovL2NybC5vbW5pcm9vdC5jb20vU3VyZUNyZWRlbnRpYWwu
    Y3JsMB0GA1UdDgQWBBT7P0iEuFsvbbDPYZvyvS8zFtjqzTAPBgNVHRMBAf8EBTAD
    AgEAMA4GA1UdDwEB/wQEAwIE8DARBglghkgBhvhCAQEEBAMCBaAwSQYIKwYBBQUH
    AQEEPTA7MDkGCCsGAQUFBzAChi1odHRwOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS9z
    dXJlY3JlZGVudGlhbC5jcnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
    MA0GCSqGSIb3DQEBBQUAA4IBAQCEmffS4QWTRmxHD7lVF2Lef9THRWHA2G62qfbj
    nWhXCuVIGhPvqHWfDsveCPyYFTjY4ZfMm+KSRsb+4MIyVX1KPZpHpcIKwczGbtKz
    KPwesikL6ypVoaTBRDjl2lErM9loWv44SB6nCTJyYTjAcCCBjY0pGW7cTGH80eSs
    ZE5FJz5xmcLnFqe5XP2QEqHzdBeAkL8/xegHgTqHfa4mp2E81G/2vJKx9s2KVA0Q
    3ojI6F8yehuq6URg3U5J30nNVfKWgtXexiT+qSVfWHebRsWj8Plmflabc/AinlGM
    avpJK2u4mlP+XQDuyslI0NaSIoYbfzoH+K7Y3iCLcME08ByE

    Intermediate CA cert:

    MIIEIzCCA4ygAwIBAgIEBycUizANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
    UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
    cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
    b2JhbCBSb290MB4XDTA3MDUzMDE3NTY0OFoXDTE3MDUzMDE3NTYxN1owQDEXMBUG
    A1UEChMOQ3liZXJ0cnVzdCBJbmMxJTAjBgNVBAMTHEN5YmVydHJ1c3QgU3VyZWNy
    ZWRlbnRpYWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmQSjV
    XEIoyR12SebT+bDXLV9ctV8P25o7GkTDJA8F7m2AR7HfEdzCBCLoxO8wdFgpmzwc
    jpgkeC1XIuajhw0sOidsTuMZj5ahjalg21ylhFIyi5KoY51OumpXjqAPUkq4P7+Z
    3zGLyS8Ckza0ESJJk/MXb14AqIeonm5oF4m/r981aRK1gI64P7pgkoqzvMTWWi76
    W6YzTHo2tVQYXM6+njb9vmKNcldY8qaolWNRNWIVkOl/PMasvvCD+fBtZSaqm2LE
    3rUNEYxhpWrhz93XOFVbbDT7FEjIRjnRtT6JbW3qGN+UwRZU0sO9tZnny60F5FPN
    I6N8BO/B7/PgPrXPAgMBAAGjggFvMIIBazASBgNVHRMBAf8ECDAGAQH/AgEAMFMG
    A1UdIARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJl
    cnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAOBgNVHQ8BAf8EBAMC
    AQYwgYkGA1UdIwSBgTB/oXmkdzB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RF
    IENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMs
    IEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290ggIBpTBF
    BgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vY2dp
    LWJpbi9DUkwvMjAxOC9jZHAuY3JsMB0GA1UdDgQWBBRJTJILzUojts557p5VM2ta
    RMAClTANBgkqhkiG9w0BAQUFAAOBgQBweUqztRTn/CSAAsHqewbQXPQCzcjYklyJ
    XjHuDT0kvEuZ2H9oKQ/9PFLVVAhs72Ifa7k9uumooewMcmeZt2d+qyCWx1k2Q2lN
    R4C4neobVlTtvnJ+ET3ujwETwBGzAmMRvkXAFGACltBWHAqPsqaW3t89t7wXnF1i
    /EtN22QiAA==

    Root cert:

    MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
    VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
    bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
    b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
    UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
    cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
    b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
    iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
    r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
    04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
    GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
    3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
    lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/

    Thanks and Regards,

    Kanduri


    Thanks and Regards, Kanduri

    Friday, June 1, 2012 7:57 PM

All replies

  • Hi,

    Can you make sure the certificate has been uploaded on ACS portal successfully? And please also check the certificate is in trusted root certification authority.

    "Ensure that the certificate is either self-signed or that it chains to a trusted root certification authority. The certificate must also not be revoked and must be within its validity period."

    From :

    http://msdn.microsoft.com/en-us/library/windowsazure/gg185949.aspx

    Hope this helps.


    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Monday, June 4, 2012 7:36 AM
  • Hi,

    "Can you make sure the certificate has been uploaded on ACS portal successfully?" How can we do it. The only way I know is with the metadata of the IDP. We did that.  AFAIK, there is no place on the ACS portal where i can look at the certificate of the IDP. Is there anyway to look it up?

    This a trusted root CA. And it is there in the browser.

    Thanks and Regards,

    Kanduri


    Thanks and Regards, Kanduri

    Monday, June 4, 2012 4:26 PM