WindowsLive Certificate verification fails

book

Article ID: 37647

calendar_today

Updated On:

Products

CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Issue:

We have configured a new federation setup for WindowsLive social media application. While we are trying to authenticate it is throwing a 500 error.

In the logs we are getting javax.net.ssl.SSLException: Certificate not verified exception. We are using certificate from URL:https://login.live.com

Environment:

CA Secure Cloud 1.5X

Cause:

This is basically because the certificate chain required for correct authentication is not that of login.live.com, but that of https://apis.live.net/v5.0/me . In particular the Microsoft, Baltimore and GTE_Cyber_Trust certificates need to be added to the root CA. Besides that make sure that you have the Verisign and Simantec certificates as well added to the root CA store in the cspadmin console.

If the error is caused by this missing certificate, looking at the federation trace, the following will be revealed

[01/22/2016][07:56:35][3755][78584688][1c0224c4-aab83f1f-a9958590-cb735e20-77e2158c-0ae][OAuthTunnelClient][handleAuthzServerRetrieval][Authorization Server Info: {SMCOverrideProtectionLevel=false, PartnershipName=WindowsLive_OAuth_Shell_Partnership, UserInfoURL=https://apis.live.net/v5.0/me,

[01/22/2016][07:56:37][3755][78584688][1c0224c4-aab83f1f-a9958590-cb735e20-77e2158c-0ae][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]

[01/22/2016][07:56:37][3755][78584688][1c0224c4-aab83f1f-a9958590-cb735e20-77e2158c-0ae][MessageDispatcher.java][dispatchMessage][Exception:javax.net.ssl.SSLException: Certificate not verified.

Resolution:

Access https://apis.live.net/v5.0/me with any browser: when getting to the site hit on the padlock in your browser, see the certificates and export all of them. Install the site certificate in the Trusted Sites store in the csp console, and the certification authorities in the certificate chain in the CA store. Restart the policy server for the new certificates to be picked up correctly

Additional Information:

For a guide on how to set up windows live oauth partnership see:

https://support.ca.com/phpdocs/1/8231/runbooks/CASM-MicrosoftWindowsLiveIDPFederationRunbook-ver1.pdf 

Environment

Release: CLDIDM99000-1.5-Identity Manager SaaS-for Business Users
Component: