我们在azure网站(ASP.NET MVC)上遇到间歇性问题,该网站与安全令牌服务保护的服务进行对话。
这个网站99%的工作时间很好,但它偶尔会遇到这个问题。重新启动azure网站通常会解决问题,但之后一小时左右又会再次开始。
我们基本上得到的错误是:
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4257: X.509 certificate '[cert info here]' validation failed by the token handler.
---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate [cert info here] is not in the trusted people store.
The X.509 certificate [cert info here] chain building failed. The certificate that was used has a trust chain that cannot be verified.
Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.
at System.IdentityModel.Selectors.X509CertificateValidator.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.X509CertificateValidatorEx.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
这里要注意的重要一点是,证书绝对有效,具有有效的信任链,构建到标准的受信任的根权限,我们没有改变任何东西!