claudio32

Hi,

I was able to run the fabrikam example with the www.fabrikam.com SSL certificate. Now I want to use my SSL certificate (CN = sts.mysite.com) and I did the following:

1) Replace the cert thumbprint in app.config

2) run httpcfg -set ssl -i ...

3) set the cert ACL by modifying the existent vb script

The certificate CN, CRL are OK and I can access via HTTPS a web site using this cert.

On the other hand when trying to use my managed cards, the Identity Selector says that the SSL certificate is rejected since "the remote certificate is invalid according to the validation procedure".

The SSL certificate is not a logotype cert. Are logotypes mandatory for CardSpace applications

Thanks,

kind regards,

Claudio



Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

Wouter Veugelen

I thought they were only "recommended".

I would like to get a confirmation regarding that question too.





Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

Caleb Baker - MSFT

Logotype is not required. It's hard to say why the cert is failing, my best guess you be to make sure it chains to a trusted CA, or is in your trusted people's store. If that doesn't help, could you post the event log message




Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

claudio32

Hi,

I checked the following:

1) the CA is trusted. When I open the SSL certificate on the client machine the whole chain is OK

2) the CRL is accessible, I downloaded it from IE

3) the CN in the SSL cert matches the name of the site: sts.mysite.com

here's the log

Thanks

Claudio

Event Type: Error
Event Source: CardSpace 3.0.0.0
Event Category: General
Event ID: 273
Date: 2/15/2007
Time: 11:42:42
User:
Computer:
Description:
There was a failure making a WS-Trust exchange with an external application. The Identity provider end point was not found.
Inner Exception: Metadata contains a reference that cannot be resolved: 'https://sts.mysite.com:7001/sample/trust/usernamepassword/mex'.
Inner Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Inner Exception: The remote certificate is invalid according to the validation procedure.

Additional Information:
Microsoft.InfoCards.TrustExchangeException: The Identity provider end point was not found. ---> System.InvalidOperationException: Metadata contains a reference that cannot be resolved: 'https://sts.mysite.com:7001/sample/trust/usernamepassword/mex'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)
--- End of inner exception stack trace ---
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.ResolveNext(ResolveCallState resolveCallState)
at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(MetadataRetriever retriever)
at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(Uri address, MetadataExchangeClientMode mode)
at Microsoft.InfoCards.RemoteTokenFactory.DoMexExchange(TokenCreationParameter param, IWebProxy proxy)
--- End of inner exception stack trace ---





Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

Caleb Baker - MSFT

Sounds like the issue might be that the cert isn't configured properly on the server, I'd double check the parameters you used for httpcfg and rerun it.

if that doesn't help, you can try and track down why the mex call is working. you can get svcutil.exe from the windows sdk and run

svcutil.exe https://sts.mysite.com:7001/sample/trust/usernamepassword/mex

this should retieve the mex or give an error message about what failed.






Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

claudio32

The cert seems to be OK since I can access other HTTPS pages with no problems neither warnings.

On the other hand svcutils returns this message. I read the MSDN paper but couldn't figure out how to modify the app.config file to publish metadata correctly. Should the app.config file provided with the example work properly with no change

Thanks,

Claudio

Error: Cannot obtain Metadata from https://sts.mysite.com:7001/sample/trust/use
rnamepassword/mex

If this is a Windows (R) Communication Foundation service to which you have acce
ss, please check that you have enabled metadata publishing at the specified addr
ess.  For help enabling metadata publishing, please refer to the MSDN documentat
ion at http://go.microsoft.com/fwlink/ LinkId=65455.


WS-Metadata Exchange Error
    URI: https://sts.mysite.com:7001/sample/trust/usernamepassword/mex

    Metadata contains a reference that cannot be resolved: 'https://sts.mysite.
com:7001/sample/trust/usernamepassword/mex'.

    Could not establish trust relationship for the SSL/TLS secure channel with a
uthority 'sts.mysite.com:7001'.

    The underlying connection was closed: Could not establish trust relationship
 for the SSL/TLS secure channel.

    The remote certificate is invalid according to the validation procedure.


HTTP GET Error
    URI: https://sts.mysite.com:7001/sample/trust/usernamepassword/mex

    There was an error downloading 'https://sts.mysite.com:7001/sample/trust/us
ernamepassword/mex'.

    The underlying connection was closed: Could not establish trust relationship
 for the SSL/TLS secure channel.

    The remote certificate is invalid according to the validation procedure.

If you would like more help, type "svcutil / "





Re: Windows CardSpace (InfoCard) Logotype certs are mandatory??

claudio32

OK I found the problem

The command I used was:

httpcfg delete ssl -i 127.0.0.1:7001
httpcfg set ssl -i 127.0.0.1:7001 -h "3a7c4ac428fec247f67ddf5de2ee19d219d9a84c"

While I should specify the real IP address of the SSL server.

I simply replaced 127.0.0.1 with my local IP address and it worked.

Claudio