Hello all,
I'm trying to use ADFS as a brand new install to authenticate us to our webscanning provider. I have setup ADFS with a relying party trust and I can access my xml path using
https://myserver.domain.com/adfs/ls/federationserverservice.asmx
this displays my xml file as it should. I've got this running internally and then published through TMG in our DMZ. I've setup TMG with the correct copies of the certificate and everything seems fine. I've also followed the setup of the relying party trust to the letter. However, when I try an authentication effort using their software I get the generic 'there was a problem accessing the site. try to browse the site again, if the problem persists' etc etc.
I take a look on my event log for ADFS and I've turned tracing on. What's happening is that the relying party trust certificate I installed (and is marked as 'this certificate is OK' is continually spitting out the following errors below.
I do know that the certificate is actually good, but something is going strange here with the CRL. This certificate for the relying party trust was NOT imported to my TMG box at all (because I find no articles anywhere that suggests it should be). I have also not imported my token signing certificate for the same reason. The web server certificate itself of the ADFS box has been added to TMG and when I access the ADFS xml path it reports as having a signed cert, so I presume that is OK.
A certificate used while validating the token is invalid.
Exception details:
MSIS3015: The signing certificate of the claims provider trust 'zscaler.net' identified by thumbprint 'FED50D8B82FBCA3F37823704BD2D46D08909D7F6' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
followed by
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'zscaler.net' identified by thumbprint 'FED50D8B82FBCA3F37823704BD2D46D08909D7F6' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
Any help would be great, I'm going crazy staring at this now.