Wednesday, May 8, 2013

An error occurred during an attempt to build the certificate chain for the relying party trust 'https://myorganization.external.com:port/' certificate identified by thumbprint "xxx..xxx"

While doing CBA configuration in one of my installation, i got error while accessing the URL.
and fro
m the ADFS event viewer(as in the below pic) i found the below error message...
"An error occurred during an attempt to build the certificate chain for the relying party trust 'https://myorganization.external.com:port/' certificate identified by thumbprint 'XXXXXXXX'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period."
This is cause of the server and the certificates used. need to make encryptioncertificaterevocationcheck to none.
please use the below commands, after opening the windows powershell command.
 
the 1st line "Add-pssnapin microsoft.adfs.powershell" is used to get into the adfs powershell ...
donot miss that...
Add-pssnapin microsoft.adfs.powershell
set-adfsrelyingpartytrust -targetname "your relying party trust name" -encryptioncertificaterevocationcheck none

set-adfsrelyingpartytrust -targetname "your relying party trust name" -signingcertificaterevocationcheck none

now if you will try then u must be able to login.

again here if you get the prompts again and again then, you need to follow the below
go to regedit and then HKEY>LOCAL_MACHINE -> SYSTEM ->Current ControlSet -> Control -> Lsa
inside this created D_Word named "DisableLoopbackCheck" and set value to 1.
then do an iis reset if needed.
do this in ADFS server and also the CRM server if both are different.

Regards,
Sudhanshu

3 comments:

  1. Very Good Article. I missed to read this when I get similar issue and got it rectified through Microsoft support engineer, who used the same procedure.
    George

    ReplyDelete
  2. But revoking the check, is it right thing to do. You are essentially asking the system to keep using revoked/expired certificates. This puts your system on risk of security attack?

    ReplyDelete