issuedTokenAuthentication\knownCerticates Validation Problem
Hi,
I am in the midst of porting over the Remote STS samples (from here) to the July CTP. I am faced with an issue that I totally have no idea how to solve.
My Service config behaviour config looks like this:
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceCredentials>
<serviceCertificate findValue="Fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<clientCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck" />
</clientCertificate>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true">
<knownCertificates>
<add findValue="Contoso" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</knownCertificates>
</issuedTokenAuthentication>
</serviceCredentials>
<serviceDebug includeExceptionDetailInFaults="False" />
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors >
At my remote STS, I have code snippets that returns a signing token:
// This method determines the security token that contains the key material that
// the STS should sign the issued token with in order
// for the service the issued token is intended for to trust that token
private SecurityToken GetSigningToken()
{
// Set signingCert to null
SecurityToken signingToken = null;
// ... Open the LocalMachine store in My for read-only access
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
// Find the "STS" cert ...
foreach (X509Certificate2 cert in store.Certificates)
if (cert.SubjectName.Name == "CN=Contoso")
{
// ... and set signingCert to that cert
signingToken = new X509SecurityToken(cert);
break;
}
// Don't forget to close the store
store.Close();
// return the token
return signingToken;
}
While this sample works fine with the previous CTPs, it is throwing a verification exception in the July CTP.
Exception: Message security verification failed.
The inner exception reveals this:
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. > System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=Contoso chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
at System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate)
While I am sure the certs I use can be trusted right to the root CA, I am stumped by this exception OR rather how do I set the certificateValidationMode for this? I dont think I can set it in the <issuedTokenAuthentication> element itself ?
The only difference on the wire I see is that the Signatures are ENCRYPTED by default now on the wire to prevent any kind of guessing attacks.
I am stumped on this one. Can anyone here help on this ?
