Relying Party Certificate thumbprint not specified

Hello,

I have an intranet with cardspace authentication, and for test purposes I used the fabrikam and adatum certificates provided as examples by Microsoft. It was working fine, I could link cards to user accounts and then sign in with the card. Then I decided to change those test certificates for the real ones, so I used a Windows Server 2003 as an Entrerprise CA and created a root CA certificate and issued a certificate for my intranet webpage. Installed both certificates and in IIS I installed the webserver certificate and activated SSL in my virtual directory.

In the source code of the intranet, I made the following changes: I use the SampleSecurityTokenService class, and in the app.config file I changed the certificate thumbprint field with the thumbrint of the cert that I issued for the webpage. The base address and the base mex address are "http://www.intranetai.com:7000/sample/trust" and "https://www.intranetai.com:7001/sample/trust" , which I'm not sure if are correct as I "invented" them, but I think they match the config in another section. I'm not sure if I made any other change in configuration, but I dont think so. So then, when I try to create a card using cardwriter, or when I try to link an existing card like I used to do before changing the certificates I get that error: "Relying Party Certificate thumbprint not specified". Is there any other change in config that I have to do to specify the RP certificate Maybe any section in the configuration I think that it might have something to do that my intranet acts both as the IdP and the RP, and maybe I specified the certificate for the IdP but not for the RP, but I don't know where to find it, in case thats the problem.

Any ideas Thank you very much,

Ruben

If the above urls used to be fabrikam.com, that should be correct. have you tried to see if the above URLs work

As for the thumbprint, I believe somewhere in the code, it searches for the signing certificate by thumbprint. if you do a full text search on the fabrikam and contoso certificate thumbprint, you should be able to find out where you need to update with the new thumbprint from your intranetai certificate.

Hi Toland,

Thanks for your answer. I've tried the above urls and none of them work, but to be honest I'm quite lost with all this stuff, I just used them following the example, but I don't know how I have to set them or where to configure them, and so on. Also I've done a text search in the entire solution looking for the fabrikam, contoso and adatum thumbprints but it didn't give any result. Finding the thumbprint of my intranetai certificate, I've only found it in one place in the whole solution, which is the "certificateThumbprint" setting in the app.config file in the STS project. I really don't know where I have to specify the relaying party certificate or what else I can do to solve it. Any help will be appreciated.

Thanks,

Ruben

I think it has something to do with the TokenProcessor.cs class. I've added it to the App_Code folder in my web project, but when it tries to look for the relying party certificate, the string containing the thumbprint is empty. That string should be filled in this code:

string rpCertificateThumbprint = System.Configuration.ConfigurationManager.AppSettings["CertificateThumbprint"];

string rpStoreName = ConfigurationManager.AppSettings["StoreName"];

string rpStoreLocation = ConfigurationManager.AppSettings["StoreLocation"];

So I suppose that it doesn't find anything in AppSettings["CertificateThumbprint"]. In the samples that I found that use TokenProcessor.cs, there's no app.config file attached to it, so I don't know where it expects to find that thumbprint. For the identity provider it works well because in the sts project I have an app.config that specifies the thumbprint, but for the relying party (the intranet webpage), I don't know where to put it, as in the examples I haven't been able to find where those settings are stored. Can anyone please clarify that

Thank you very much,

Ruben

Finally I found the problem! After looking in depth at the TokenProcessor code and understanding how it works, I realised that it wasnt a problem of the app.config, because it only checks app.config if it doesn't find the certificate straight away based on the thumbprint obtained from the token, which is what we expect it to do. So in case it doesn't find it that way, it looks at app.config for different parameters.

So the problem was that it didn't find the certificate in the store when it searched for its thumbprint. And the certificate is in the store and the thumbprint is OK, so the reason for not finding it is that it doesn't consider the certificate valid. The instruction where it looks for the certificate in the store is:

collection = store.Certificates.Find(X509FindType.FindByThumbprint, rpCertificateThumbprint, true);

where the last "true" is a boolean that indicates if the search only has to return "valid" certificates. So I had to set this boolean to false and then it returns my certificate and it works perfectly. But I'd like to know why it doesn't consider the certificate valid. I created an Enterprise CA in a Windows Server 2003 and issued a certificate for my webpage, both the CA and the webpage certificates are installed in the computer, and if I enter mmc and look at the personal certificates store, I find there my webpage certificate and when I open it, it sais it's valid. Does anyone know why then the instruction Find doesn't consider it valid It would be good to know so that I can make the changes appropiate so that the cert is valid and set the boolean back to true.

Thanks,

Ruben

I have exactly the same problem with a SSL certificate issued by CACert.org. If you happen to find a solution why those are considered invalid I would be happy to get a note.

And to test the scenario a bit further I save the token and reuse it in a console application also using the TokenProcessor.cs. In that scenario everything works perfectly even with the validOnly parameter set to true which appears a bit strange to me !

Thanks for any hints

Alex

Hi Alex,

I haven't found any explanation to why this happens, and in fact I didn't look at it much more. I would like to know why this happens too, so I can do something with the certificate so that the code considers it "valid", but as noone seems to have an answer for this and I'm busy with some other problems that I have with CardSpace (http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=1918144&SiteID=1), for now I just set validOnly to false and it works, although I don't think thats the best solution for the problem.

Regards,

Ruben