locked
Confclicting encryption certificates error in ADFS 3.0 RRS feed

  • Question

  • I try to update relying party trust from federation metadata which contains two signing and two encryption certificates. But ADFS shows me the error:

    "An unexpected error occurred during attempt to process the federation metadata. Verify that the federation metadata is correct and try again.
    Error message: MSIS7508: The metadata contains unexpected data. Conflicting encryption certificates were found in the Role Descriptions needed to represent a service provider role."

    The idea for storing two signing and to encryption certificates in metadata is to make smooth transition period when old certificates are going to expire and new certificates are added in metadata as secondary certificates. This strategy works fine with two signing certificates but does not work with two encryption certificates.

    Metadata I trying to update:

    <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https://www.alpha.wrke.io/account/1401896/alias/alpha.wrke.io" entityID="https://www.alpha.wrke.io/account/1401896/alias/alpha.wrke.io"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIJAN/SEJKXNLDZMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQsw
    CQYDVQQIEwJDQTELMAkGA1UEBxMCQ0ExEjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9t
    YWluIENvbnRyb2wgVmFsaWRhdGVkMRIwEAYDVQQDDAkqLndya2UuaW8wHhcNMTgwMjA4MTI0NDUx
    WhcNMjAwMjA4MTI0NDUxWjByMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkNB
    MRIwEAYDVQQKEwlXcmlrZSBEZXYxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDES
    MBAGA1UEAwwJKi53cmtlLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtPebxuF
    FoqVuVjj0rb5/scqWGFSHolDcRELcYAIMADNe/MBee5thsL8dGGThsJByQevME38yxz6XRBUnOyJ
    +Usnij+DGjk8UoRj+qqUAxRsWq6qbqWmo071VTqQtOtNZqdExQUwYsO4KLSb1OMi9JLKBdYD6z52
    LYE+T8o4wsTOPlmSYgZafMG8Wod+7d9JndxBCjRJtgHlDjPM7Vl0O4aI/FyRJqg3RPb2UiuLfPr+
    TDGdbxwvOwEHujBRm5DVUXrniYLz2yrNKWECcxuJ2XPQRf2a9gzCxjvQwWMqwL5s/62TPf21p6en
    ZgkXKKZVOH0XydPsJlsP6vZh4mJKWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBnKtGtiPVaaGT4
    Rw2imoLLiTEm3uGFqUy0jc5A7Pzb/BapMr6v1KKm4ugy36iECeQiBxcenGuLG3Iq/nU+DzhCgFoO
    ffkheaIPGyvOBoD1QFGYHe6YP3J8DtZAXrHqbiwMtKOFoaSzp8FwcQSCOTqNM1tSYjVU2hvr4/LD
    DT74Ceb7s8LmE83p9/YvQsKBpJ2EyvxShCCorNzxv5A3gIyfkVrPSH8vvaiU5ITiN5xb1X4OHRPi
    tLVhoU4e04j779pBLp1iGcmyFaZw7+sAQPscmFMQm5pH0ut0LKyBHdGMwEfzoy0l759tRltPmQk5
    jp5goGEoHcFl9ZbKnSY8zpY9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIJAN/SEJKXNLDZMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQsw
    CQYDVQQIEwJDQTELMAkGA1UEBxMCQ0ExEjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9t
    YWluIENvbnRyb2wgVmFsaWRhdGVkMRIwEAYDVQQDDAkqLndya2UuaW8wHhcNMTgwMjA4MTI0NDUx
    WhcNMjAwMjA4MTI0NDUxWjByMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkNB
    MRIwEAYDVQQKEwlXcmlrZSBEZXYxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDES
    MBAGA1UEAwwJKi53cmtlLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtPebxuF
    FoqVuVjj0rb5/scqWGFSHolDcRELcYAIMADNe/MBee5thsL8dGGThsJByQevME38yxz6XRBUnOyJ
    +Usnij+DGjk8UoRj+qqUAxRsWq6qbqWmo071VTqQtOtNZqdExQUwYsO4KLSb1OMi9JLKBdYD6z52
    LYE+T8o4wsTOPlmSYgZafMG8Wod+7d9JndxBCjRJtgHlDjPM7Vl0O4aI/FyRJqg3RPb2UiuLfPr+
    TDGdbxwvOwEHujBRm5DVUXrniYLz2yrNKWECcxuJ2XPQRf2a9gzCxjvQwWMqwL5s/62TPf21p6en
    ZgkXKKZVOH0XydPsJlsP6vZh4mJKWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBnKtGtiPVaaGT4
    Rw2imoLLiTEm3uGFqUy0jc5A7Pzb/BapMr6v1KKm4ugy36iECeQiBxcenGuLG3Iq/nU+DzhCgFoO
    ffkheaIPGyvOBoD1QFGYHe6YP3J8DtZAXrHqbiwMtKOFoaSzp8FwcQSCOTqNM1tSYjVU2hvr4/LD
    DT74Ceb7s8LmE83p9/YvQsKBpJ2EyvxShCCorNzxv5A3gIyfkVrPSH8vvaiU5ITiN5xb1X4OHRPi
    tLVhoU4e04j779pBLp1iGcmyFaZw7+sAQPscmFMQm5pH0ut0LKyBHdGMwEfzoy0l759tRltPmQk5
    jp5goGEoHcFl9ZbKnSY8zpY9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZDCCAkygAwIBAgIIJ2fk6TevwxwwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxCzAJ
    BgNVBAgTAkNBMQswCQYDVQQHEwJDQTESMBAGA1UEChMJV3Jpa2UgRGV2MSEwHwYDVQQLExhEb21h
    aW4gQ29udHJvbCBWYWxpZGF0ZWQxEjAQBgNVBAMMCSoud3JrZS5pbzAeFw0xODAyMTIwOTA5MjBa
    Fw0yMDAyMTIwOTA5MjBaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCQ0Ex
    EjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRIw
    EAYDVQQDDAkqLndya2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsOPaQFoZR
    vnhzGqo3cEorq3Rj3WweRouJYi3yByg0nhm1QJnRnXEags5jUkJd4uw0biZdmcKYeTo2ER9cOgN7
    yH1q/DMAI31zixMip0Fl9XHUTXwZV0/hd3CRDdO+ieHsnmywRyouuIMaTDYObyyMOI8Q7WSBbucu
    pM16fBn8ajf+lzEtzhS0MQ9hZxX3EZTjxGz+eGIkW0P8IJs4JYnJd32DvQwfOWmNFE0sy72PGh9b
    A38iN9lCHNMqbA2x4AcR7q3DEVzLMSyOfRf7u8vy4HJgwPRTwBdbjqadbERmQ0HGlWeIy/SgW7X5
    bX5xWfOscNNSY6CgTWoq8CHqKzd9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGNp4NsZ4tk9rJUq
    BGBWnPrdhI1vJmUh8wqHWXAXTRZWspEiHgjTEj9AC+PUsGjzBUFdw02eBVJUrYbDhO8e+dnxtdlv
    X2fVKJ3tSACv6rHlcvTnDUISP5pBBzLC2hnPKxUeFzhYzUk0wZmAkdhE1afalchPvtO7orqHc8SK
    fU7XR/mNEwhJu+32A1DO+hRDA1FHcqizEBV/FpkKURXH2IBeBiCd+nspWFBTF5qUhZS56x1JMIhB
    nKJm7uY2xL/iPDjDqbHoUPuyxWcTHLLZrHFXH4ulDyAtNCBWST6XNGb9lzkbufCGl4PDxqPt/sI4
    HpuAYSgX+LgWExVOiy4SsCg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZDCCAkygAwIBAgIIJ2fk6TevwxwwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxCzAJ
    BgNVBAgTAkNBMQswCQYDVQQHEwJDQTESMBAGA1UEChMJV3Jpa2UgRGV2MSEwHwYDVQQLExhEb21h
    aW4gQ29udHJvbCBWYWxpZGF0ZWQxEjAQBgNVBAMMCSoud3JrZS5pbzAeFw0xODAyMTIwOTA5MjBa
    Fw0yMDAyMTIwOTA5MjBaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCQ0Ex
    EjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRIw
    EAYDVQQDDAkqLndya2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsOPaQFoZR
    vnhzGqo3cEorq3Rj3WweRouJYi3yByg0nhm1QJnRnXEags5jUkJd4uw0biZdmcKYeTo2ER9cOgN7
    yH1q/DMAI31zixMip0Fl9XHUTXwZV0/hd3CRDdO+ieHsnmywRyouuIMaTDYObyyMOI8Q7WSBbucu
    pM16fBn8ajf+lzEtzhS0MQ9hZxX3EZTjxGz+eGIkW0P8IJs4JYnJd32DvQwfOWmNFE0sy72PGh9b
    A38iN9lCHNMqbA2x4AcR7q3DEVzLMSyOfRf7u8vy4HJgwPRTwBdbjqadbERmQ0HGlWeIy/SgW7X5
    bX5xWfOscNNSY6CgTWoq8CHqKzd9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGNp4NsZ4tk9rJUq
    BGBWnPrdhI1vJmUh8wqHWXAXTRZWspEiHgjTEj9AC+PUsGjzBUFdw02eBVJUrYbDhO8e+dnxtdlv
    X2fVKJ3tSACv6rHlcvTnDUISP5pBBzLC2hnPKxUeFzhYzUk0wZmAkdhE1afalchPvtO7orqHc8SK
    fU7XR/mNEwhJu+32A1DO+hRDA1FHcqizEBV/FpkKURXH2IBeBiCd+nspWFBTF5qUhZS56x1JMIhB
    nKJm7uY2xL/iPDjDqbHoUPuyxWcTHLLZrHFXH4ulDyAtNCBWST6XNGb9lzkbufCGl4PDxqPt/sI4
    HpuAYSgX+LgWExVOiy4SsCg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://alpha.wrke.io/saml/SingleLogout/account/1401896/alias/alpha.wrke.io"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://alpha.wrke.io/saml/SingleLogout/account/1401896/alias/alpha.wrke.io"/><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://alpha.wrke.io/saml/SSO/account/1401896/alias/alpha.wrke.io" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://alpha.wrke.io/saml/SSO/account/1401896/alias/alpha.wrke.io" index="1"/><md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
                <md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Wrike</md:ServiceName>
                <md:RequestedAttribute Name="firstName"/>
                <md:RequestedAttribute Name="lastName"/>
            </md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>

    Old and new encryption certificates has the same issuer and subject. 

    So the question is: does ADFS supports multiple encryption certificates and how to configure it properly?

    Wednesday, February 14, 2018 9:41 AM

All replies

  • AD FS supports only a single encryption certificate. A second one can be added to be placed, ready to switch when desired. However, only one encryption certificate may be configured as primary.
    Wednesday, February 14, 2018 6:13 PM