Friday, February 10, 2012

Windows Azure and ACS - ID1024: The configuration property value is not valid. Property name: 'serviceCertificate'

Total there are 2 errors which I have seen getting resolved with following information I am providing.
If you are using Azure Web Role with Azure ACS configured ADFS authentication then you may receive any of the following 2 errors –
1.     Parser Error Message: ID1024: The configuration property value is not valid.
Property name: 'serviceCertificate'
Error: 'ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user

2.     The X.509 certificate CN=companyinacloud.accesscontrol.windows.net is not in the trusted people store. The X.509 certificate CN=companyinacloud.accesscontrol.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
I will be discussing the steps I followed which worked for me. Hope it will help to you as well. Here is the solution.
Make sure that the certificate stored in LocalMachine My store should be same as the certificate present in ACS namespace created on Azure Management Portal. If you see the exception details closely then in above 1st error you will observe a description that says - The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.
In Full IIS mode, the web application will run in IIS under NetworkService account. In local machine, NetworkService account does not have privilege to access private key. So our solution will be to provide access to Network Service so that certificate private key can be accessed.
Microsoft has released a certificate configuration tool WinHttpCertCfg.exe which can be used for providing access of private key to any user. First of all download winhttpcertcfg.msi and install it. Copy and paste the path where it gets installed. In my machine it got installed under - C:\Program Files (x86)\Windows Resource Kits\Tools
After installation open command prompt in administrator mode and change execution path to WinHttpCertCfg installation path. Then fire command as shown below [make sure that user name Network Service is within quotes] –
C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg   -g   -c   LOCAL_MACHINE\My   –s CertificatenameWithoutExtension  -a   "Network Service"

This command provides access rights to Network Service user for accessing my store private keys and hence error should be gone.
Hope this helps.
Cheers…
Happy Accessing!!!

1 comment:

  1. Thank you thank you thank you!
    I have been hitting brick walls everywhere on getting my ID1024 issue fixed and your info regarding WinHttpCertCfg saved me!

    ReplyDelete