Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Error when sign in customer portal hosted by azure using Live ID RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    I get the following error when I try to login to my azure hosted customer portal.  Are we supposed to generate a rule under the rule groups in the Azure Access Control section as this was not a documented step.  Can anyone help with this please? 

    Server Error in '/' Application.


    The X.509 certificate CN=zaloutions.accesscontrol.windows.net is not in
    the trusted people store. The X.509 certificate
    CN=zaloutions.accesscontrol.windows.net chain building failed. The certificate
    that was used has a trust chain that cannot be verified. Replace the certificate
    or change the certificateValidationMode. A certificate chain processed, but
    terminated in a root certificate which is not trusted by the trust
    provider.

    Description:
    An unhandled exception occurred during the execution of the current web
    request. Please review the stack trace for more information about the error and
    where it originated in the code.

    Exception Details:
    System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509
    certificate CN=zaloutions.accesscontrol.windows.net is not in the trusted people
    store. The X.509 certificate CN=zaloutions.accesscontrol.windows.net chain
    building failed. The certificate that was used has a trust chain that cannot be
    verified. Replace the certificate or change the certificateValidationMode. A
    certificate chain processed, but terminated in a root certificate which is not
    trusted by the trust provider.


    Source Error:
    An unhandled exception was generated during the execution of the
    current web request. Information regarding the origin and location of the
    exception can be identified using the exception stack trace below.

    Stack Trace: 
    [SecurityTokenValidationException: The X.509 certificate CN=zaloutions.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=zaloutions.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
]
   System.IdentityModel.Selectors.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate) +958412
   Microsoft.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate) +275
   Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) +472
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +117
   Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetClaimsPrincipal(WSFederationAuthenticationModule fam, HttpContext context) +218
   Microsoft.Xrm.Portal.IdentityModel.Web.Modules.WSFederationAuthenticationModuleExtensions.GetSessionSecurityToken(WSFederationAuthenticationModule fam, HttpContext context, String& identityProvider, String& userName, String& email, String& displayName, String emailClaimType, String displayNameClaimType, String identityProviderClaimType) +150
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.GetSessionSecurityToken(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext, String& identityProvider, String& userName, String& email, String& displayName) +288
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam, IDictionary`2 signInContext) +199
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.TryHandleSignInResponse(HttpContext context, WSFederationAuthenticationModule fam) +120
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +530

[FederationAuthenticationException: Federated sign-in error.]
   Microsoft.Xrm.Portal.IdentityModel.Web.Handlers.FederationAuthenticationHandler.ProcessRequest(HttpContext context) +1204
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270



    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET
    Version:4.0.30319.272
    Thursday, May 3, 2012 12:07 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Sergey

    Yes but there is another step after the step you mentioned.  Once a new rule group is created, you actually need to go into that new rule group and add a new rule (as opposed to rule group) inside that rule group.

    I also forgot to add the last line in the web.config which resolved the issue:

    <certificateValidation certificateValidationMode="None"/>

    Overall the portal works well in Azure (just a bit slow).  The only problem is waiting for CRM 2011 Online to be upgraded to Rollup 7 so I can import the Customer Portal version 1.0.0013 from the marketplace as this solution does not import successfully at the moment.

    • Marked as answer by bzalloua Monday, May 7, 2012 6:16 AM
    Monday, May 7, 2012 6:09 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You do have to generate new rule, documentation has this section:

    If this is the first relying party application, check the box to Create new rule group which creates a default rule group when saved. Subsequent relying party applications may share this default rule group rather than creating a new one.

    Let us know if you get documentation from some other location and it's missing instructions.

    Saturday, May 5, 2012 12:36 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Sergey

    Yes but there is another step after the step you mentioned.  Once a new rule group is created, you actually need to go into that new rule group and add a new rule (as opposed to rule group) inside that rule group.

    I also forgot to add the last line in the web.config which resolved the issue:

    <certificateValidation certificateValidationMode="None"/>

    Overall the portal works well in Azure (just a bit slow).  The only problem is waiting for CRM 2011 Online to be upgraded to Rollup 7 so I can import the Customer Portal version 1.0.0013 from the marketplace as this solution does not import successfully at the moment.

    • Marked as answer by bzalloua Monday, May 7, 2012 6:16 AM
    Monday, May 7, 2012 6:09 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks, we'll make sure latest documentation gets updated with next release.
    Saturday, May 12, 2012 1:33 AM