I’m using the Access Control Service(ACS) from Azure on several demo websites, to authenticate my visitors through Google, LiveID, FB and Yahoo. With ACS and Claims my User-Management becomes really simple.
But suddenly my solution stopped working. Exactly a year (and a day) after deploying… Hmm, so let’s find out what happened.
The error message on the screen was: ACS50000: There was an error issuing a token.
The inner message: ACS50004: No primary X.509 signing certificate is configured. A signing certificate is required for SAML.
The ACS Management Portal
Managing the Access Control Service through it’s own management site: <your_acs_namespace>.accesscontrol.windows.net
There is a menu called: “Certificates and Keys” and check the Status of the Symmetric Key and the X.509 Certificate. Both should be marked as Valid (Primary), but were invalid in my case because of the expiration.
For the Symmetric key, it is possible (but not recommended) to extend the expiration date. For the Certificate this isn’t an option, so we need to create a new one with a validity of 1 year. Follow the steps in the Portal, you’ll create a certificate with MakeCert, then export it to a file and importing this in ACS.
This will create a new problem, the Application (Relying Party) only recognizes the old certificate. So we need to update the application as well with the new Certificate information. Add the new certificate thumbprint to the web.config file.
How to prevent these failures on a production site
We need to add a new certificate a few months in advance,before the old certificates expire. By adding a new certificate and marking it as “Secondary” we can gradually update all applications to use both certificates, and later on make the switch and mark the new Certificate as “Primary”.
This will take some planning in advance, for the complete steps: http://msdn.microsoft.com/en-us/library/windowsazure/hh204521.aspx
For a complete set of all ACS error codes: http://msdn.microsoft.com/en-us/library/windowsazure/gg185949.aspx
- Regenerate your Symmetric keys at least every 2 years.
- Certificate lifetimes should not be more than 1 year
- Do rolling upgrades on all keys
- Create a testpage which displays extra information for troubleshooting
- Don’t forget the management service has it’s own set of keys (which also expire)