SharePoint 2010 Error The Signature of the certificate cannot be verified

Question

My client wants the SharePoint web application to be authenticated using SiteMinder Claims based STS Web Service agent. When the web app started and authentication provider is selected web app will redirect to a login page and over the correct credentials it should redirect back to the site. What is happening is over the correct credentials the SharePoint web application returns with the following error:

Any clue what might be the reason? I am happy to assist if additional information is required.

NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.

Exception Details:

System.IdentityModel.Tokens.SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityTokenValidationException: NotSignatureValid: The signature of the certificate cannot be verified. 1048576: Unknown error.] Microsoft.SharePoint.SPImmutableCertificateValidator.Validate(X509Certificate2 certificate) +181 Microsoft.SharePoint.SPCertificateValidator.Validate(X509Certificate2 certificate) +260 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +520

[SecurityTokenValidationException: ID4257: X.509 certificate 'E=user@domain.com, CN=certName, OU=WHQ, O=CSC, L=Chantilly, S=Virigina, C=US' validation failed by the token handler.] Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1358733 Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099702 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

Answer 1

Solution Time!

Special Thanks for @gtrig for tipping me off the real issue behind the error.

Why the Error

The error cause as a result of a Microsoft security patch (KB2661254) adding a restriction to certificate validation. This patch requires the certificate RSA key to be greater than or equal to 1024bits. The given siteminder.cer contains a 512bits RSA key. The following link would explain the issue in detail.

http://blogs.technet.com/b/rmilne/archive/2012/09/03/important-upcoming-certificate-changes.aspx

The solution in detail is here. http://support.microsoft.com/kb/2661254

But for me only adding the following regedit key did the trick. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config

minRSAPubKeyBitLength : Decimal 512

To apply this registry modification open command prompt (Make sure the user has admin privileges, else start command prompt Administrator mode) and execute

certutil -setreg chain\minRSAPubKeyBitLength 512

However I would recommend reading through the entire solution from the above link in depth to find unique solution.

Important: This is not recommended approach in a client environment as this may possibly compromise the security of the server environment.

Recommended solution is to have a new certificate created with at least the minimum key size of 1024 (although 2048 is recommended)