none
The federation metadata is signed, but the UAG server does not trust the certificate - why? RRS feed

  • Question

  • I'm having a problem with a UAG SP1 installation where the UAG server will not trust any certificate used for Token signing on an ADFS 2.0 server.  I've verified the trust chain.  I've exported the token-signing cert and imported on the UAG into the Trust Root CA store.  I've double-checked all the thumbprints.  I've created new certificates.  Does anyone know of a way to get the UAG to tell me the thumbprint of the certificate it does not trust?  At this point, I have to figure the ADFS server is not using the certificate I've assigned in ADFS mgmt.  I'm using the same procedure I've used in a dozen other installations and it has always worked.

    TIA

    Tom

    Thursday, April 14, 2011 12:28 PM

Answers

All replies

  • Hi Tom,

    Is the token signing cert self-signed, issued by an internal CA or a third-party cert?

    Regards,

    Mylo

    Thursday, April 14, 2011 6:33 PM
  • Hi Mylo,

    All certs are issued by an internal CA.  The UAG is a member of the same domain as the internal CA.  Root Certificate is propagated to all domain computers and domain controllers via Group Policy.  The internal Root CA cert is in the Trusted Root Authority store on the UAG.  I have verified the thumbprint or the internal Root CA certificate on the UAG server.

     

    HTH,

    Tom

    Friday, April 15, 2011 11:54 AM
  • Hi Tom,

    I had this with UAG a couple of months back and I'm scratching my head trying to remember what chain of events fixed it :-) couple of things:

    • Have you restarted the AD FS 2.0 service and/or rebooted the server? I recall issues with re-assigned certificates with the FS and stale info.
    • Have you tried importing the federationmetadata.xml rather than pointing to the FS endpoint directly?
    • Have you tried recreating the authentication server and then pointing to the federation metadata again?
    • Is the PKI CDP reachable from the UAG?
    • Have you tried assigning the primary token signing certificate using SET-ADFSCERTIFICATE cmdlet rather than the UI ? 
    • I'd also start with the default lead claim on the UAG (change it later after the import) 

    Regards

    Mylo

    Friday, April 15, 2011 5:42 PM
  • One last thing.. is the AD FS token signing certificate itself in the Trusted Root Authorities store of the UAG?

    Regards,

    Mylo

    Friday, April 15, 2011 5:53 PM
  • Hi Mylo,

    You nailed it, the PKI CDP was not reachable from the UAG. 

     

    Thanks,

    Tom

    Friday, April 15, 2011 5:58 PM
  • Hi Tom,

    Great stuff... glad to hear it worked :-)

    Regards,

    Mylo

    • Proposed as answer by Mylo Tuesday, April 19, 2011 10:10 AM
    Saturday, April 16, 2011 9:22 AM