SharpSTS with Self-Signed Certificates.

Apr 7, 2008 at 1:34 PM
Ok -- I give...

What's the secret to disabling x509 checks so I can run sharpSTS with Self-Signed Certificates, I turned off the validation check in the constructor of the Token class, per http://idunno.org/archive/2007/04/06/self-signed-certificates-and-cardspace.aspx.

But stepping though the Issue method of the wsTrustResponder, I dont see any code that invokes a new token, and hence my changes are not getting executed and I'm still getting the trust chain exception.

System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate E=sts@sodexo.com, CN=sts.sodexo.com, O=Sodexo, S=NY, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

What am I missing?

Coordinator
Apr 7, 2008 at 5:57 PM
Ouch. Yes. This is why I pretend to be woodgrove during development :)

Try the following; edit InformationCardSTSHost.cs, and add the following line at the bottom of the OnOpening method

Credentials.IssuedTokenAuthentication.RevocationMode = X509RevocationMode.NoCheck;

If that works I'll wrap it in a config setting, debug only. That web page really refers to the token processing code for web pages. I assume you're getting the error within the token response code in the STS?
Apr 7, 2008 at 9:20 PM
I added the line as you suggested, but it made no difference. Its still generating the same error..

It doesnt seem to be applying the behavior, as the message is stating that it cannot find the revoccation list.

System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate E=sts@sodexo.com, CN=sts.sodexo.com, O=Sodexo, S=NY, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate. at System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate) at System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2 certificate) at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ResolveClaimSet(SecurityToken token) at System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at InformationCards.TokenUtility.AuthenticateToken(Byte[] decryptedTokenData) in C:\sso\LeastPrivledgeCardspaceSelector\InfoCardSelector\Token\TokenUtility.cs:line 156 at InformationCards.Token..ctor(String xmlToken, Boolean noSSL) in C:\SSO\LeastPrivledgeCardspaceSelector\InfoCardSelector\Token\Token.cs:line 72 at LeastPrivilege.CardSpaceLibrary.UI.InfoCardSelector.RaisePostBackEvent(String eventArgument) in C:\SSO\LeastPrivledge_CardspaceSelector\InfoCardSelector\InfoCardSelector.cs:line 392
Coordinator
Apr 8, 2008 at 3:05 AM
Oh I see; ok that's client side inside Dominick's asp.net control, in which case we're back to the blog post. Inside TokenUtility.cs, line 151 is where the SamlAuthenticator gets created; make the change suggested in the blog entry there.