Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
September Release Issues in AppFabric ACS

Answered September Release Issues in AppFabric ACS

  • Wednesday, September 22, 2010 5:48 AM
     
     
    Sign In to Vote
    0

    After this September release all the settings such as identity providers, relying party, certificates etc have been reset for all my already existing services.

    And if do a new setup, then even after providing a X.509 certificate for token signing i get following error:

    HTTP Error Code:  400 
    Message:  No tenant signing key of type X509 certificate is provisioned. 
    Trace ID:  2c46fa55-8ae8-443b-9f8a-ab885593c3fb 
    Timestamp:

    TechyFreak
     

All Replies

  • Wednesday, September 22, 2010 10:46 AM
    Moderator
     
     
    Sign In to Vote
    0
    Just to confirm, you're referring to the ACS Labs right? Production ACS shouldn't have had any providers reset but for the labs this was announced prior to the September release that it would wipe all settings.
     
  • Friday, September 24, 2010 4:33 PM
     
     
    Sign In to Vote
    0

    I am in ACS labs and am getting the same error. Where do I provide the tenant signing key so that this error goes away? Navigating to the federation endpoint (https://friseton.accesscontrol.appfabriclabs.com/FederationMetadata/2007-06/FederationMetadata.xml) I see:

     

    HTTP Error Code: 400
    Message: No tenant signing key of type X509 certificate is provisioned.
    Trace ID: 4c5ee6e2-9b07-44ff-b066-83247369ef1e
    Timestamp: 2010-09-24 16:31:30Z

    How do I resolve this issue?

    Scott Seely
     
  • Monday, September 27, 2010 10:35 PM
     
     Answered
    Sign In to Vote
    3

    In order for Federation Metadata to work, you need to have a signing certificate with "Used For" set to "Service namespace".  The way signing keys work is as follows:

    For SAML tokens, ACS uses an X.509 certificate to sign the token.  If the relying party has its own certificate, that will be used.  Otherwise, the service namespace certificate is used as a fallback.  If there isn't one, an error is shown.

    The important bit is that ACS needs a service namespace certificate configured in order to sign Fed metadata. Without this, the Fed metadata cannot be signed and attempting to view it will fail.

    You need to add a new key and set the "used for" to "Service namespace".  This will solve your issue.

    Thanks,

    Oren

     
  • Tuesday, September 28, 2010 11:20 AM
     
     
    Sign In to Vote
    0

    Scott,

     

    As already mentioned by Oren when you are adding a new token signing key then in the last option select the radio option of Service Namespace.

     

    TechyFreak
     
  • Wednesday, September 29, 2010 2:28 PM
     
     
    Sign In to Vote
    0
    This worked! thanks
    Scott Seely