locked
Error when sign in customer portal hosted by azure using Live ID RRS feed

  • Question

  • I get the following error when I try to login to my azure hosted customer portal.  Are we supposed to generate a rule under the rule groups in the Azure Access Control section as this was not a documented step.  Can anyone help with this please? 

    Server Error in '/' Application.



    The X.509 certificate CN=zaloutions.accesscontrol.windows.net is not in
    the trusted people store. The X.509 certificate
    CN=zaloutions.accesscontrol.windows.net chain building failed. The certificate
    that was used has a trust chain that cannot be verified. Replace the certificate
    or change the certificateValidationMode. A certificate chain processed, but
    terminated in a root certificate which is not trusted by the trust
    provider.

    Description:
    An unhandled exception occurred during the execution of the current web
    request. Please review the stack trace for more information about the error and
    where it originated in the code.

    Exception Details:
    System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509
    certificate CN=zaloutions.accesscontrol.windows.net is not in the trusted people
    store. The X.509 certificate CN=zaloutions.accesscontrol.windows.net chain
    building failed. The certificate that was used has a trust chain that cannot be
    verified. Replace the certificate or change the certificateValidationMode. A
    certificate chain processed, but terminated in a root certificate which is not
    trusted by the trust provider.


    Source Error:
    An unhandled exception was generated during the execution of the
    current web request. Information regarding the origin and location of the
    exception can be identified using the exception stack trace below.

    Stack Trace:
    [SecurityTokenValidationException: The X.509 certificate CN=zaloutions.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=zaloutions.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
    ]
       System.IdentityModel.Selectors.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate) +958412
       Microsoft.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate) +275
       Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) +472
       Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +117
       Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetClaimsPrincipal(WSFederationAuthenticationModule fam, HttpContext context) +218
       Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetSessionSecurityToken(WSFederationAuthenticationModule fam, HttpContext context, String& identityProvider, String& userName, String& email, String& displayName, String emailClaimType, String displayNameClaimType, String identityProviderClaimType) +150
       Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.GetSessionSecurityToken(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext, String& identityProvider, String& userName, String& email, String& displayName) +288
       Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext) +199
       Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam) +120
       Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +530
    
    [FederationAuthenticationException: Federated sign-in error.]
       Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +1204
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
    




    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET
    Version:4.0.30319.272
    Thursday, May 3, 2012 12:07 AM

Answers

  • Hi Sergey

    Yes but there is another step after the step you mentioned.  Once a new rule group is created, you actually need to go into that new rule group and add a new rule (as opposed to rule group) inside that rule group.

    I also forgot to add the last line in the web.config which resolved the issue:

    <certificateValidation certificateValidationMode="None"/>

    Overall the portal works well in Azure (just a bit slow).  The only problem is waiting for CRM 2011 Online to be upgraded to Rollup 7 so I can import the Customer Portal version 1.0.0013 from the marketplace as this solution does not import successfully at the moment.

    • Marked as answer by bzalloua Monday, May 7, 2012 6:16 AM
    Monday, May 7, 2012 6:09 AM

All replies

  • You do have to generate new rule, documentation has this section:

    If this is the first relying party application, check the box to Create new rule group which creates a default rule group when saved. Subsequent relying party applications may share this default rule group rather than creating a new one.

    Let us know if you get documentation from some other location and it's missing instructions.

    Saturday, May 5, 2012 12:36 AM
  • Hi Sergey

    Yes but there is another step after the step you mentioned.  Once a new rule group is created, you actually need to go into that new rule group and add a new rule (as opposed to rule group) inside that rule group.

    I also forgot to add the last line in the web.config which resolved the issue:

    <certificateValidation certificateValidationMode="None"/>

    Overall the portal works well in Azure (just a bit slow).  The only problem is waiting for CRM 2011 Online to be upgraded to Rollup 7 so I can import the Customer Portal version 1.0.0013 from the marketplace as this solution does not import successfully at the moment.

    • Marked as answer by bzalloua Monday, May 7, 2012 6:16 AM
    Monday, May 7, 2012 6:09 AM
  • Thanks, we'll make sure latest documentation gets updated with next release.
    Saturday, May 12, 2012 1:33 AM