0

I want to use Thinktecture IdentityServer 3 to provide STS to ASP.NET site but I don't know how to setup the certificates.

How do I use SelfHost (InMem with WS-Fed) Thinktecture Identity Server 3 as STS for a local IIS site?

The problem I have is as follows:

I've used this client in VS Development Server: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/MvcOwinWsFederation

with the SelfHost (InMem with WS-Fed): IdentityServer3.Samples/tree/master/source/SelfHost%20(InMem%20with%20WS-Fed)

It all works, connects, authenticates and displays claims.

But when I publish the client to local IIS site called WSFedClient and that tries to authenticate against the same self-host STS, but I get this error:

"The remote certificate is invalid according to the validation procedure."

I've followed this: https://github.com/IdentityServer/IdentityServer3/issues/553

...but I'm still confused about what it is I need to do.

JBurns
  • 1
  • 2
  • Updated it a bit, let me know if it needs more. Have you worked with this Identity Server much? – JBurns Feb 22 '16 at 21:49
  • Not at all ... it really seems like this just comes down a standard cert issue; the cert is failing validation, probably because the CA or root cert isn't in a Trusted Cert store for the machine. Make sense? – Lynn Crumbling Feb 22 '16 at 21:56
  • I'm sure you're correct. That's the part I don't understand unfortunately. What kind of cert do I need to make, how do I make it, and where do I then install it? – JBurns Feb 22 '16 at 22:29
  • Added an answer -- hope it's helpful. – Lynn Crumbling Feb 22 '16 at 22:50
  • Could this be duplicate http://stackoverflow.com/questions/34942051/error-when-get-token-the-remote-certificate-is-invalid-according-to-the-validat/34988745#34988745 – rawel Feb 23 '16 at 06:06

3 Answers3

0

Try installing your cert into the "Trusted Root Certificate Authorities" store.

1) Launch the mmc. At the start menu, enter MMC.exe and hit enter.

2) Press control-M to add a module. Select Certificates, and click Add.

3) Select Computer account, then Next, select Local Computer, and hit Finish. Then hit OK.

4) Expand Certificates. Right-click on "Trusted Root Certificate Authorities", and select "All tasks", then "Import..."

5) Browse out to the cert and select it. You probably will need to check the box to allow it to be exported, which means you'll probably have to enter the password, which you should know, if you created it.

Lynn Crumbling
  • 12,985
  • 8
  • 57
  • 95
  • Thanks, much appreciated. I gave that a shot: made server cert in IIS, added it to Personal, Trusted Root CA, and Trusted People. Closed down mmc, Restarted IIS and tried again.... unfortunately same result: "The remote certificate is invalid according to the validation procedure" – JBurns Feb 22 '16 at 23:10
0

Check following things regarding your certificate. Most probably point # 2 below causing this error.

  1. Check if CA's root certificate exists in Trusted Root Certification Authorities store.
  2. Check "Issued To" field of certificate matches with host name of identity server's endpoint url.
  3. Check expiry date of certificate.
  4. Check if certificate is not revoked by CA.
Pankaj Kapare
  • 7,486
  • 5
  • 40
  • 56
  • Thanks.... Identity Server is listening at https://localhost:44333/core. Is that the url endpoint? the Certificate is called idsrv3test.pfx and is issued to idsrv3test and issued by DevRoot. I don't what this means, why it is, or what it needs to be but I'd love to be enlightened. Thanks again. – JBurns Feb 23 '16 at 21:05
  • idsrv3test.pfx is the token signing certificate. It is different from the https certificate(though you can use same for both tasks) You get this error probably because you are not pointing to https endpoint or https certificate configured at that endpoint is not valid. You should be able to independently configure a valid certificate for this endpoint using IIS without using token signing certificate. – rawel Feb 24 '16 at 05:37
0

It looks like you must configure SSL endpoint for callback URI as well. That is WSFedClient in your sample.

rawel
  • 2,923
  • 21
  • 33
  • In visual studio development server you should have marked the "SSL enabled = true". Then it will automatically configure valid SSL certificate for the site. But in local IIS you have to do it yourself. – rawel Feb 26 '16 at 00:14