So for starters, here's my environment:
SharePoint 2010
Windows Server 2008 Standard
It's a VHD on my local
machine
I'm connected to my work domain I'm also connected to a
VPN as well because some of the resources I need require it
So I have an STS in SharePoint for SSO
The STS is created via PowerShell cmdlets:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\IdentityServer.cer")
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
# $map2 ... $mapN
$realm = "urn:mycompany:software"
$signinurl = "https://somesignin.com/FederationProvider/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "MyFederationProvider" -Description "My Fed Provider" -Realm $realm -UseWReply -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
For the Internet Zone of my SharePoint site, I have the trusted identity provider created above as the Claims Authentication Type.
When I log in everything goes well until I hit this line in the code,
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(signInResponseMessage, Response);
The error I get is:
Exception information:
Exception type: SecurityTokenException
Exception message: The issuer of the token is not a trusted issuer.
Request information:
Request URL: https://mySharePointSite.com:443/_trust/default.aspx
Request path: /_trust/default.aspx
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: MyDomain\ThreadAccount
Thread information:
Thread ID: 10
Thread account name: MyDomain\ThreadAccount
Is impersonating: False
Stack trace: at Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry`1.GetIssuerName(SecurityToken securityToken)
at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
However, the root certificate is in the Trusted Root Certification Authorities in the MMC Certificates snap-in for the Computer Account on the Local Computer.
As well, the root certificate is considered trusted in SharePoint. I added it via the Central Administration->Security->Manage Trust.
Any ideas why I'd still be getting this error?
Do you have an STS running at https://somesignin.com/FederationProvider/?
The documentation for New-SPTrustedIdentityTokenIssuer says that it "Creates an identity provider in the farm." This seems poorly worded to me. It doesn't actually create a new STS. What New-SPTrustedIdentityTokenIssuer really does is configure a trust relationship between sharepoint and an existing 3rd party identity provider. For example,
LiveID:
http://technet.microsoft.com/en-us/library/ff607628.aspx
or ADFS:
http://msdn.microsoft.com/en-us/library/hh446525.aspx
The problem was the certificate being used initially was not from the domain I develop on. For local development a self-signed certificate was created and then the issuer was trusted. And this certificate was added to the manage trust store of my local Sharepoint farm, http://onpointwithsharepoint.blogspot.ca/2012/11/managing-trust-certificates-by-using.html.
Related
It is a .NET 6 project. The certificate is imported to the Local Computer store from a pfx file.
Using the following code, skipping the irrelevant parts, everything works fine when the service account is added to the local Administrators group.
var certStore = new X509Store(storeName, storeLocation);
certStore.Open(OpenFlags.ReadOnly);
var _clientCertificate = certStore.Certificates
.Find(X509FindType.FindByThumbprint, thumbprint, false)
.FirstOrDefault();
...
BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var client = new Client(binding, endpoint);
client.ClientCredentials.ClientCertificate.Certificate = _clientCertificate;
...
When the account is not in the local Administrators' group the following exception is thrown:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'other.service.com'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
What am I missing here?
As far as I know, there may be the following reasons:
When you say that you are not in the local administrator group, the error will be because of the administrator and general members have different permissions. You can try to put the user in the administrator to try again, if successful, this is the problem.
Validate the Web Sites SSL Certificate is Trusted. If the SSL certificate is not trusted, you will need to install the SSL certificate’s root certificate. You can review the case for more solutions.
Hope it helps.
I'm working .Net 5.0 and I get these errors when I throw it to the hosting server. After a while, my website gives HTTP error 500 due to these errors. I created the certificate with OpenSSL and user profile as true but when I try to add a certificate I get these errors.
What should I do about this?
warn: Microsoft.AspNetCore.DataProtection.Repositories.EphemeralXmlRepository[50]
Using an in-memory repository. Keys will not be persisted to storage.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[59]
Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {f071590d-e902-4b6f-bbbe-d27d7415d96b} may be persisted to storage in unencrypted form.
crit: Microsoft.AspNetCore.Hosting.Diagnostics[6]
Application startup exception
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.
My startup is like this:
services.AddDataProtection()
.SetApplicationName("MyProjectName")
.ProtectKeysWithCertificate(new X509Certificate2(certificate, "password", X509KeyStorageFlags.MachineKeySet
| X509KeyStorageFlags.PersistKeySet
| X509KeyStorageFlags.Exportable)) //My bad line of code
.UseCryptographicAlgorithms(
new AuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
}
)
.PersistKeysToFileSystem(new DirectoryInfo(keysFolder)) //shared network folder for key location
.SetDefaultKeyLifetime(TimeSpan.FromDays(600));
The problem was that iss out of date on the server side. The provider updated the server and the problem was resolved
I have a WCF client that is going to authenticate against some web service using a certificate issued by said service. At first my client used a https binding as below:
var httpsBinding = new BasicHttpsBinding();
httpsBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
httpsBinding.Security.Mode = BasicHttpsSecurityMode.Transport;
but this gave the following error:
InvalidOperationException: The client certificate is not provided.
Specify a client certificate in ClientCredentials.
I then added the following code to my client configuration:
this.ChannelFactory.Credentials.ClientCertificate.SetCertificate("test", System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine,
System.Security.Cryptography.X509Certificates.StoreName.My);
And now I get the error
System.InvalidOperationException: 'Cannot find the X.509 certificate
using the following search criteria: StoreName 'My', StoreLocation
'LocalMachine', FindType 'FindBySubjectDistinguishedName', FindValue
'test'.'
I am absolutely certain that the certificate is placed in the Personal folder on my Local Machine, but it still cannot find it. I have tried placing the certificate in various folders, renaming it, using the thumbprint for identification, but my application still can't find it. What could be the issue here?
I suggest you set up the certificate by using X509FindType.FindByThumbprint.
ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
//client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindByThumbprint, "cbc81f77ed01a9784a12483030ccd497f01be71c");
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "9ee8be61d875bd6e1108c98b590386d0a489a9ca");
It corresponds to the below value.
In order to allow WCF service could access this local certificate, we usually add Everyone account to the management group of the certificate private key.
Besides, WCF service with authenticating the client with a certificate, this usually requires that we set up both the service certificate and the client certificate on the client-side.
Feel free to let me know if there is anything I can help with.
I have a WebApi controller action that I decorated with my [x509Authorize] attribute. I'm debugging this endpoint locally - and at the same time running a console application that tries to call this endpoint.
Client side
Here's the client code - slightly simplified:
X509Certificate Cert = X509Certificate.CreateFromCertFile("C:\\Temp\\ht-android-client.pfx");
HttpWebRequest Request = (HttpWebRequest)WebRequest.Create("https://localhost:44300/api/mobile/predict");
Request.ClientCertificates.Add(Cert);
HttpWebResponse Response = (HttpWebResponse)Request.GetResponse();
....
I've asserted that the Cert is the correct certificate. I've installed the .pfx in my CurrentUser\Personal store and in the LocalMachine\Personal store - and modified to take the Cert from that store, as suggested here but that doesn't seem to make a difference:
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
var Cert = store.Certificates.Find(X509FindType.FindBySubjectName, "Android", true)[0];
Server side
And I'm listening on the WebAPI endpoint like with the following code:
public class x509AuthorizeAttribute : AuthorizeAttribute
{
public override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
var cert = actionContext.Request.GetClientCertificate();
// value of 'cert' is null
I hit a breakpoint in the console app first - see that the correct certificate is selected. Then I hit the breakpoint on the server and see that the value of .GetClientCertificate() is null. What am I doing wrong? The other SO questions 1 and 2 didn't help me any further.
Additional information on the certificates
I've created a self-signed CA certificate which is installed on the LocalMachine\Trusted root CA store. I've created the android client cert - and signed it with my self-signed CA certificate. Then I converted that into a pkcs12 file. This is the certificate that the client is using - which is also installed in my personal stores ( both machine and currentUser ) and is valid ( you can see the chain go back to the ROOT CA cert ).
Also - the certificate's purpose is set to clientAuth:
So the problem is indeed that the server needs to have the following set in the web.config in order to force IIS to start the SSL cert negotiation:
<security>
<access sslFlags="SslNegotiateCert" />
</security>
If this is not present - the certificate will be ignored and you will get null on the GetClientCertificate() call.
This implies however that all clients for my WebAPI are now forced to present a valid certificate - so my original idea of having just one controller method requiring a certificate does not seem possible.
Then there's the challenge of setting this config paramter in web.config, because of the restrictions for Azure Cloud Services. However - this answer provides a solution for that.
EDIT
On a side note this is not supported yet in ASP.NET vNext ( v rc-01-final )
On our SharePoint 2010 farm we renewed our SSL certificate, and after renewal we started to get following error in Event Log
Event ID 8311
An operation failed because the following certificate has validation errors:\n\nSubject Name:
CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: \n\nErrors:\n\n
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Website is generally working with correct renewed certificate. Even Claims Authentication between SharePoint and custom security app is also working. But some of the SharePoint services are giving serious issues like search is not working and giving following error:
The requested service, 'http://server:32843/f6a9024b8bbe48ebae7e9ffc8f5809dd/SearchService.svc' could not be activated. See the server's diagnostic trace logs for more information.
Stack trace:
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
When I run Get-SPSite command in powershell I get following error
Get-SPSite : ID4257: X.509 certificate 'CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US' validation failed by the token handler.
I am not able to deactivate/activate any features on the server, it throws certificate error.
I have already tried following:
1. Recreating the local trust relationship using following commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
2. Adding "SharePoint Root Authority" certificate to certificate store on each server in the farm, in mmc SharePoint certificates "SharePoint Security Token Service" certificate is displayed under "SharePoint Root Authority" certificate.
I had a similar issue, our symptom was
<EventID>8311</EventID>
...
<Data Name="string3">NotTimeValid: Unknown error.</Data>
the root cause was that the site was surfacing SSRS (on the same host) and it was the SSRS (which has a different binding engine to IIS) certificate had expired, but was being logged by SharePoint.