Single sign-on Authentication Using Azure Ad

Surender Bollam asked on February 29, 2024 14:05

Hi,

We are planning to use the Single sign-on Authentication using Azure Ad for this process we have reqistered our Application Url in the Azure portal they have give us the client Id and security realm these details we are using in the Kentico admin --> Settings --> Authentication --> Claim Based Authentication Here we have Enabled the WIF authentication and given the required details Identity provider URL Security realm Allowed audience URIs Certificate validator --> Selected Chain trust also we have tried using Certificate validator as None when checked as None getting error as [IssuerNameRegistry.GetIssuerName]: Untrusted certificate. and we are using the trusted CA's

we are following this documentation

https://devnet.kentico.com/articles/integrate-azure-active-directory-with-kentico

After going through the Above process we are able to redirect to Microsoft login Page after successfully login we are getting this error

Can You Please Suggest with the Solution on how to solve this error.

image

`Error Log:

The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Configuration we are using :

identity provider url: https://login.microsoftonline.com/clientid/wsfed --> clientId we have generated through azure portal

Security Realm : https://example.portal.com/

**Allowed Audience Url** : https://example.portal.com/

Trusted Certificate Thumb Print :

Certificate Validator : Chain trust

Recent Answers


Juraj Ondrus answered on March 1, 2024 05:32

Where are you getting the certificate from? Is it from trusted authority?

0 votesVote for this answer Mark as a Correct answer

Surender Bollam answered on March 1, 2024 09:46 (last edited on March 1, 2024 19:57)

Hi Juraj Thanks for the response

we are following this documentation for generating the X509 thumbprint certificate and we are using this

https://devnet.kentico.com/articles/integrate-azure-active-directory-with-kentico

we are getting this error when using certificate validator as Peer trust

error as The X.509 certificate CN=accounts.accesscontrol.windows.net is not in the trusted people store.

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on March 4, 2024 05:20

That article is just a proof of concept. I would recommend using Google to search for the untrusted certificate error - there are many discussions and articles on this topic. This is not related to Kentico.

0 votesVote for this answer Mark as a Correct answer

Surender Bollam answered on March 7, 2024 15:30

Hi Juraj

Thanks for the response

As we are using the Trusted Certificate which is Licenced and this certificate Is also available in the Manage Computer Certificate --> Trusted People

But we are getting this error as The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Can you please suggest us which certificate needs to be imported and where.

0 votesVote for this answer Mark as a Correct answer

Surender Bollam answered on March 7, 2024 17:53

Hi Juraj

Thanks For the Response

This is the process we are Currently following to Use Single sign-on Authentication using Azure Ad Claims Based authentication from Kentico settings

The certificate which we are using is secured And Licenced it is Present in the Manage Computer Certificate --> Trusted People

Claims Based Authentication Process We Are following:

identity provider url: https://login.microsoftonline.com/clientid/wsfed --> clientId we have generated through azure portal

Security Realm : https://example.portal.com/

Allowed Audience Url : https://example.portal.com/

Trusted Certificate Thumb Print:

For Generating thumb print we are following this process 1.https://login.microsoftonline.com/clientid/federationmetadata/2007-06/federationmetadata.xml --> pasting this url in the browser and by using Saml Tool we are trying to generate the thumb print this thumb print we are using in this path Trusted Certificate Thumb Print

        (or)

Do we need to use the Thumb Print From the certificate Configuration

Certificate Validator : Chain trust (Under Manage Computer Certificate--> Trust People ,so using this as referred from kentico documentation https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/claims-based-authentication)

`when we use this we are getting this error:` Certificate Validator as : Chain Trust

The X.509 certificate CN=accounts.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=accounts.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

When Checked with Certificate Validator as : None

getting this error

IssuerNameRegistry.GetIssuerName]: Untrusted certificate.

When Checked with Certificate Validator as : Peer Trust

getting this error

The X.509 certificate CN=accounts.accesscontrol.windows.net is not in the trusted people store.

Can You please suggest where we  are getting wrong and which certificate needs to be imported and where. 
0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on March 8, 2024 05:07

Well, this error is not from Kentico. Have you tried searching online and e.g. tried any of the suggestions from Stackoverflow or other community portals? I would also reach out to the certificate issuer and check this with them. This does not sound to be a Kentico issue.

0 votesVote for this answer Mark as a Correct answer

Surender Bollam answered on March 8, 2024 16:12

Hi Juraj

Thanks for the response

Please need your suggestion regarding which certificate do we need to use to have Single sign-on Authentication using Azure Ad for kentico claims based Authentication is it from Azure or any other?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.