Installing Cardspace Card Problems

Apr 22, 2008 at 4:41 PM
I have been working a bit with the sharpSTS project. I am using the woodgrovebank.com certs and have generated a Cardspace card using the IISHosted STS and the Command line CardWriter project. The card successfully installs on my local machine where the sts server is running and all certificates have been installed. For debugging purposes i have tried to install the same card on separate machine all together. I receive an error from the Cardspace client that leaves the event log entry below:

Has anyone ran into the same problems using the woodgrovebank.com sample certs? I'm new at the cardspace stuff so i could very well just be missing something simple. Any help would be greatly appreciated.

Thanks
Jeremy

Event Type: Error
Event Source: CardSpace 3.0.0.0
Event Category: General
Event ID: 259
Date: 4/21/2008
Time: 4:55:49 PM
User: VIRTUALJEREMY\Jeremy
Computer: VIRTUALJEREMY
Description:
An incoming identity could not be validated. The X.509 certificate is both not chain trusted and peer trusted. Chain trust error(s): The X.509 certificate CN=www.woodgrovebank.com, O=WoodgroveBank, L=Redmond, S=Washington, C=US; 8EDA81D9F53167C8A69B0B38E10C8B8772CCED3D chain building failed. The certificate that was used has a trust chain that cannot be verified. An internal certificate chaining error has occurred.
The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
Peer trust error(s): The X.509 certificate CN=www.woodgrovebank.com, O=WoodgroveBank, L=Redmond, S=Washington, C=US is not in the trusted people store.



Additional Information:
at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
at Microsoft.InfoCards.InfoCardXmlSerializer.RetrieveIssuerAndCheckSign(XmlReader reader)
at Microsoft.InfoCards.InfoCardXmlSerializer.CreateCardFromXml(String filename)
at Microsoft.InfoCards.InfoCardXmlSerializer.Deserialize(String filename)
at Microsoft.InfoCards.GetImportedCardRequest.OnProcess()
at Microsoft.InfoCards.Request.ProcessRequest()
at Microsoft.InfoCards.Request.DoProcessRequest()
at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Coordinator
Apr 22, 2008 at 5:03 PM
Ah yes; fun this.

As part of the sample certificates you get a root certificate, adatum.com. That has a revokation list; well, an empty one. The identity selector attempts to check this.

So you should, on the second machine, add a hosts entry for www.adatum.com and point it to a web site somewhere on your local network that fakes the adatum web site and contains the crldata\adatum.crl file that is installed on your dev machine. You'll probably need to install the root certificate on the second machine as well, as you may well get errors about having an untrusted root. Painful I know!

What I have is a virtual PC configured, and on the host machine I have a loopback adapter installed with multiple internal 10.250.254.* addresses bound to it. One of these is adatum, with the appropriate host entry and IIS setup to listen on that IP, with the web site containing the crldata and the images directory. I then bind the VPC to a static IP in the same network, and set the networking card to be the loopback adapter. Configure the hosts and the root cert in the VPC and away you go.
Apr 22, 2008 at 8:44 PM
This is a good start, i understand where you are coming from and did what I believed would be the necessary steps to get it working.
***Note: The ip of my host machine is 10.35.7.107. The pc is running windows xp pro SP2.

1.) Added adatum.com and www.adatum.com to my host file on the VPC i am running. the host file looks like this
127.0.0.1 localhost
10.35.7.107 www.woodgrovebank.com
10.35.7.107 woodgrovebank.com
10.35.7.107 www.adatum.com
10.35.7.107 adatum.com
2.) This is my host machine host file
127.0.0.1 localhost
127.0.0.1 www.adatum.com
127.0.0.1 adatum.com
127.0.0.1 www.contoso.com
127.0.0.1 contoso.com
127.0.0.1 www.fabrikam.com
127.0.0.1 fabrikam.com
127.0.0.1 www.woodgrovebank.com
127.0.0.1 woodgrovebank.com
3.) Setup an IIS site(virtual directory) on my host computer localhost named "clrdata" it includes the adatum.crl file. It can be accessed from the vpc by going to "http://www.adatum.com/crldata/adatum.crl"
4.) Additionally setup as a virtual directory i have the IISHosted STS.

Assuming i havn't left anything out i still get the same error on the vpc when trying to install the card.

Any ideas why my configuration isn't working.

Thanks
Jeremy







blowdart wrote:
Ah yes; fun this.

As part of the sample certificates you get a root certificate, adatum.com. That has a revokation list; well, an empty one. The identity selector attempts to check this.

So you should, on the second machine, add a hosts entry for www.adatum.com and point it to a web site somewhere on your local network that fakes the adatum web site and contains the crldata\adatum.crl file that is installed on your dev machine. You'll probably need to install the root certificate on the second machine as well, as you may well get errors about having an untrusted root. Painful I know!

What I have is a virtual PC configured, and on the host machine I have a loopback adapter installed with multiple internal 10.250.254.* addresses bound to it. One of these is adatum, with the appropriate host entry and IIS setup to listen on that IP, with the web site containing the crldata and the images directory. I then bind the VPC to a static IP in the same network, and set the networking card to be the loopback adapter. Configure the hosts and the root cert in the VPC and away you go.

Coordinator
Apr 23, 2008 at 2:57 AM
Yup, we're looking at the same sort of setup.

The differences I have; I separated woodgrove and adatum onto individual IP addresses. No host headers were used. There should also be an images directory under adatum, for the ev certificate images. I also installed the adatum root certificate inside the VPC. Woodgrove should have the woodgrove SSL certificate bound to it in IIS. I hacked the install VBS script to install the root cert; an export and reimport seems to strip some of the EV bits from the certificate, certainly under XP it did anyway.