locked
WSS3.0, Https and SSO RRS feed

  • Question

  • Hello,

    I am using OpenAM (Forgerock's WebSSO named OpenSSO when it was Sun's product) to make my WSS3.0 authentication, the authorization is still made by WSS. It works well with simple http, but when I try to use https I have a problem. When I try to connect to my site, I have a "500 internal server error". I have turned the SP logging to verbose and reading the log I have found : "Error=The remote certificate is invalid according to the validation procedure."

    I am using self signed certificates (I am using selfssl from IIS ressource pack for SP, and keytool from openjdk for the OpenAM side), when I have tested WSS, without OpenAM, with its self signed certificate it was working. The OpenAM side seems to work under https because I'm well redirected and the authentication server gives me a well formed cookie.

    So I think the root of the problem is on the Sharepoint side, but I do not see what I'm doing wrong.

    Does someone walk through this problem and find a solution ? Or do you see what I have missed?

    Thanks in advance for your help,

    Arnaud.

    Monday, May 30, 2011 3:00 PM

Answers

  • Hi FArnaud,

     

    The error message “The remote certificate……” is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

     

    You can go through this article and you will get detailed description of this problem, try the solutions there, maybe this could help you to solve this issue:

    http://blogs.msdn.com/b/jpsanders/archive/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx.

     

    Thanks & Regards,

    Peng Lei

    • Marked as answer by David HM Tuesday, June 7, 2011 8:03 AM
    Tuesday, May 31, 2011 3:11 AM
  • Hi, I've found the problem and a solution to solve it. That was indeed the self signed cookies. Sharepoint do not accept them for M2M. The solution I've found is to create a self signed CA certificate (converting the .pvk and .cer to .pfx) and add it to the trusted root CA store of the sharepoint host. Then I've created from this home made CA certificates for the Sharepoint site and for authn server (two .pfx) and add them to the personal store of the sharepoint host. I've configured the sharepoint site and the authn server to use the certificates and it works well. Hope this can help someone, Arnaud.
    • Marked as answer by FArnaud Tuesday, June 7, 2011 7:58 AM
    Tuesday, June 7, 2011 7:58 AM

All replies

  • Hi FArnaud,

     

    The error message “The remote certificate……” is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.

     

    You can go through this article and you will get detailed description of this problem, try the solutions there, maybe this could help you to solve this issue:

    http://blogs.msdn.com/b/jpsanders/archive/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx.

     

    Thanks & Regards,

    Peng Lei

    • Marked as answer by David HM Tuesday, June 7, 2011 8:03 AM
    Tuesday, May 31, 2011 3:11 AM
  •  

    Hi Peng Lei.

    Thank you very much for your answer, I'm going to see if it can solve my problem and will give feed back here.

     

    Have a good day,

    Arnaud.

     

    [Edit]

    I have looked to the Sharepoint site certificates, and it appear the "administration" site's certificate is expired. I'm using an old VM for my test and the certificate is expired since 2010.

    How can I renew it (its name is prepod-wss.preprod.sharepoint)? I've tried:

    "selfssl /T /N:CN=preprod-wss.preprod.sharepoint /K:1024 /V:1865 /S:1662 /P:8098"

    but the new certificate doesn't seems to work. I have replace it by the export copy of the expired one and I can not access to my sharepoint sites now.

    I've also looked to http://support.microsoft.com/kb/254632 but the registry key does not exist in the registry.

     

    Arnaud.

    [/Edit]

    [Edit Bis]

    I've added the remote server certificate (and the sharepoint certificates) to the Trusted Root Certification Authorities but it doesn't seem to do nothing.

    Does someone know where I could find, with a daily validation duration for example, a free trusted certificate to test my https connection and validate my system?

    I feel a little desperate ... 

    Regards,

    Arnaud

    [/Edit Bis]

    • Edited by FArnaud Tuesday, May 31, 2011 2:18 PM avoid multi posts
    Tuesday, May 31, 2011 7:06 AM
  • I am not sure I'm adding the certificate in the safe place, to do  this i use certmgr, choose the trusted root certification and import certificate.

    I was thinking doing this make the certificate trusted for all the applications running on the computer, but if I try to access the site with (for example firefox or IE) it ask me if I trust the certificate.

    I think my problems are due to self signing, but I want to be sure the all system will work if (and when) I will buy trusted certificates so if you have clues :)

     

    Thanks in advance,

    Arnaud.

    (PS : I've edited the previous post but it does not "up" the post, so i have created this new one)

    Tuesday, May 31, 2011 3:33 PM
  • Hi, I've found the problem and a solution to solve it. That was indeed the self signed cookies. Sharepoint do not accept them for M2M. The solution I've found is to create a self signed CA certificate (converting the .pvk and .cer to .pfx) and add it to the trusted root CA store of the sharepoint host. Then I've created from this home made CA certificates for the Sharepoint site and for authn server (two .pfx) and add them to the personal store of the sharepoint host. I've configured the sharepoint site and the authn server to use the certificates and it works well. Hope this can help someone, Arnaud.
    • Marked as answer by FArnaud Tuesday, June 7, 2011 7:58 AM
    Tuesday, June 7, 2011 7:58 AM