在azure网站上验证证书信任链，并通过SSL与我们的ADFS进行通信 [英] validating certificate trust chain on azure website communicating with our ADFS with SSL

问题描述

你好，

我们使用AD FS和Azure Web App

• 带有thawste根证书的本地ADFS
• 带有本机证书的Azure应用服务

Azure网站运行良好，但是如果激活Windows身份验证和ADFS配置，我们会收到一条错误消息.  的 我们基本上得到的错误是:

ADFS配置初始化错误！ X.509证书CN = ADFS签名-y.x.com不在受信任的人存储中. X.509证书CN = ADFS 签名-y.x.com链构建失败.使用的证书具有无法验证的信任链.替换证书或更改certificateValidationMode.证书链已处理，但终止于根证书，该证书是 不被信任提供者信任. System.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2)上的System.IdentityModel.Selectors.X509CertificateValidator.PeerOrChainTrustValidator.Validate(X509Certificate2证书) 证书)

此处需要注意的重要一点是证书肯定有效具有有效的信任链，并建立在标准的受信任的根权限下， 没有任何改变

是内部错误还是取决于Azure的错误，因为该应用程序可以正常工作 使用ADFS SSO对IAAS进行罚款吗?如果不是，我们该怎么做才能避免出现此错误?

client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;

其中客户端是您的服务引用的实例.

app.config文件中的方法2:

 
 serviceBehaviors/behavior/serviceCredentials/clientCertificate 
 

< authentication certificateValidationMode ="PeerOrChainTrust"； revocationMode ="NoCheck"； /> 
 

请让我们知道结果.我们期待您的答复.

Hello, 

We use AD FS and Azure Web App

•  ADFS On Premises with thawste root certificates 
•  Azure app service with native certificates 

The Azure website is working fine, but if we activate the windows authentication and ADFS configuration, we get an error message. The error we're basically getting is:

ADFS configuration initialize error! The X.509 certificate CN=ADFS Signing - y.x.com is not in the trusted people store. The X.509 certificate CN=ADFS Signing - y.x.com chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. System.IdentityModel at System.IdentityModel.Selectors.X509CertificateValidator.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate) at System.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate)

he important thing to note here is that the certificate is definitely valid, with a valid trust chain, built to a standard trusted root authority, and we haven't changed anything

Is this internal error or an error depending on Azure because the application works fine on IAAS with ADFS SSO? If it's not, what can we do to not get this error ?

解决方案

Thank you for your question Nabil. Let's remove the certificate validation to see if this is truly the issue. To verify this, can you please turn off validation? (assuming this is a non-production environment)

Way #1 in code:

client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = 
System.ServiceModel.Security.X509CertificateValidationMode.None;

Where client is an instance of your service reference.

Way # 2 in the app.config file:

serviceBehaviors/behavior/serviceCredentials/clientCertificate

<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />

Please let us know the outcome. We look forward to your reply.

这篇关于在azure网站上验证证书信任链，并通过SSL与我们的ADFS进行通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！