locked
SHA-2 certificate update; claims authentication broke RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi -

    We replaced the certificates on our portal site and our SharePoint site with SHA-2 certificates.    I recreated the new trust using scripts below and recreated the trusted identity provider.  When I try to access the site now, it tries to redirect but fails with the following error in the log (identifying info removed):

    016-05-25 08:10:16,303 [25] ERROR DefaultLogger [(null)] - Error in Authentication

    System.ApplicationException: No certificate was found for subject Name CN=*.xxx.xxx.xxx, OU=xxxxxx, O=xxxx xxxx xxxx, L=xxxxxx, S=xxxxxx, C=US

       at CertificateUtil.GetCertificate(StoreName name, StoreLocation location, String subjectName)

       at CustomSecurityTokenServiceConfiguration..ctor()

       at CustomSecurityTokenServiceConfiguration.get_Current()

       at xxx.UI.Controllers.AccountController.ManageClaims(String tokenId)

       at xxxx.UI.Controllers.AccountController.LogOn()

    $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\certSHA2.cer")
      New-SPTrustedRootAuthority -Name "Portal Token Signing Root Authority" -Certificate $root

    Are there any SHA-2 compatibility problems with SharePoint 2013?   I've added the certificate through IIS and verified its in the Personal and Trusted People certificate stores.    



    • Edited by XRS Wednesday, May 25, 2016 5:35 PM
    Wednesday, May 25, 2016 5:34 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    This is resolved.   The new certificate was missing the OU information (OU=xxxxxx, O=xxxx xxxx xxxx), so we modified our application web.config and removed that value from 

    <appSettings>
    <add key="IssuerName" value="PassiveSigninSTS"/>
    <add key="SigningCertificateName" CN=*.xxx.xxx.xxx, S=xxxxxx, C=US/>
    <add key="EncryptingCertificateName" value=""/>

    • Proposed as answer by Alex Brassington Wednesday, June 8, 2016 1:35 PM
    • Marked as answer by Dean_Wang Wednesday, June 15, 2016 10:48 AM
    Wednesday, June 8, 2016 1:18 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    I don't believe it does support SHA-2, but can't say for 100% certain. What I would do is set up a network trace on the server and client to watch the TLS handshake and see what, if any, errors you see.

    EDIT: This is for SHA-2 for ADFS token signing cert?

    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Wednesday, June 8, 2016 2:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This is resolved.   The new certificate was missing the OU information (OU=xxxxxx, O=xxxx xxxx xxxx), so we modified our application web.config and removed that value from 

    <appSettings>
    <add key="IssuerName" value="PassiveSigninSTS"/>
    <add key="SigningCertificateName" CN=*.xxx.xxx.xxx, S=xxxxxx, C=US/>
    <add key="EncryptingCertificateName" value=""/>

    • Proposed as answer by Alex Brassington Wednesday, June 8, 2016 1:35 PM
    • Marked as answer by Dean_Wang Wednesday, June 15, 2016 10:48 AM
    Wednesday, June 8, 2016 1:18 PM