ADFS 2.0 – request token for service in different AD


I have the following scenario:

Active Directory 1: WCF Client, ADFS 2.0 (STS)

Active Directory 2: WCF service (Relying Party)

I have added the RP to the ADFS but when I request a token from the ADFS I recieve the following error: System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.

Looking at the event log of the ADFS I find the matching error:

An error occurred during an attempt to build the certificate chain for
the relying party trust 'http://XXXXX/Service1/' certificate
identified by thumbprint 'XXXXXXXXXXXX'. Possible causes are that the
certificate has been revoked, the certificate chain could not be
verified as specified by the relying party trust's encryption
certificate revocation settings or certificate is not within its
validity period.

You can use Windows PowerShell commands for AD FS 2.0 to configure the
revocation settings for the relying party encryption certificate.
Relying party trust's encryption certificate revocation settings:
CheckChainExcludeRoot The following errors occurred while building
the certificate chain: Unknown error. Unknown error.

User Action: Ensure that the relying party trust's encryption
certificate is valid and has not been revoked. Ensure that AD FS 2.0
can access the certificate revocation list if the revocation setting
does not specify "none" or a "cache only" setting. Verify your proxy
server setting. For more information about how to verify your proxy
server setting, see the AD FS 2.0 Troubleshooting Guide

Looks like the ADFS does not trust the signing certificate from the RP (understandable, the CA which issued the Signing certificate is in a different AD).
The CertificateRevokationList is reachable from both Active Directories.

I have added the CA certificate to the Trusted Root Certificates of the "Local Computer", but I think the problem is the validation mechanism.

What do I have to configure to get the ADFS to issue a token signed with the proper certificate or how can I convince the ADFS that the certificate is valid?


I have tried changing the revokation check with the powershell command:

 Set-ADFSRelyingPartyTrust  -SigningCertificateRevocationCheck CheckEndCert

but with no luck:
Set-ADFSRelyingPartyTrust : Parameter set cannot be resolved using the specified named parameters.

At line:1 char:26
+ Set-ADFSRelyingPartyTrust <<<<   -SigningCertificateRevocationCheck CheckEndCert
    + CategoryInfo          : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException
    + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.IdentityServer.PowerShell.Commands.SetRelyingPartyTrustC

This worked:

(Get-ADFSRelyingPartyTrust) | Set-ADFSRelyingPartyTrust  -EncryptionCertificateRevocationCheck CheckEndCert

but now my client in Active Directory 1 complains about the certificate…

System.ServiceModel.Security.SecurityNegotiationException: SOAP
security negotiation with
'http://XXXXXXXXXXXXXXXXX/Service1/' failed. See inner exception for
more details. —>
System.IdentityModel.Tokens.SecurityTokenValidationException: The
X.509 certificate CN=RP-Service chain building failed. The certificate
that was used has a trust chain that cannot be verified. Replace the
certificate or change the certificateValidationMode. A certificate
chain could not be built to a trusted root authority.

Best Solution

Maybe you should try to add your RP-Service cert into Trusted People store on the machine, where your WCF client runs. That was what I did when using self-signed cert to test WCF call under federation with ADFS.

Related Question