Wednesday, September 22, 2010 5:48 AM
After this September release all the settings such as identity providers, relying party, certificates etc have been reset for all my already existing services.
And if do a new setup, then even after providing a X.509 certificate for token signing i get following error:
HTTP Error Code: 400
Message: No tenant signing key of type X509 certificate is provisioned.
Trace ID: 2c46fa55-8ae8-443b-9f8a-ab885593c3fb
- Moved by SrikumarVMicrosoft Contingent Staff Tuesday, September 28, 2010 10:56 PM Migration (From:Windows Azure AppFabric)
Wednesday, September 22, 2010 10:46 AMModeratorJust to confirm, you're referring to the ACS Labs right? Production ACS shouldn't have had any providers reset but for the labs this was announced prior to the September release that it would wipe all settings.
Friday, September 24, 2010 4:33 PM
I am in ACS labs and am getting the same error. Where do I provide the tenant signing key so that this error goes away? Navigating to the federation endpoint (https://friseton.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml) I see:
HTTP Error Code: 400 Message: No tenant signing key of type X509 certificate is provisioned. Trace ID: 4c5ee6e2-9b07-44ff-b066-83247369ef1e Timestamp: 2010-09-24 16:31:30Z
How do I resolve this issue?
Monday, September 27, 2010 10:35 PM
In order for Federation Metadata to work, you need to have a signing certificate with "Used For" set to "Service namespace". The way signing keys work is as follows:
For SAML tokens, ACS uses an X.509 certificate to sign the token. If the relying party has its own certificate, that will be used. Otherwise, the service namespace certificate is used as a fallback. If there isn't one, an error is shown.
The important bit is that ACS needs a service namespace certificate configured in order to sign Fed metadata. Without this, the Fed metadata cannot be signed and attempting to view it will fail.
You need to add a new key and set the "used for" to "Service namespace". This will solve your issue.
Tuesday, September 28, 2010 11:20 AM
As already mentioned by Oren when you are adding a new token signing key then in the last option select the radio option of Service Namespace.
Wednesday, September 29, 2010 2:28 PMThis worked! thanks