How to Fix Error ACS50017
Published: February 13, 2013
Updated: February 21, 2014
Applies To: Azure
This topic provides information about possible causes of and solutions for the ACS50017 error.
ACS returns ACS50017 when it cannot build a certificate chain for a signing certificate of a trusted identity provider, such as a trusted ADFS server. This error occurs under the following conditions.
ACS cannot validate the certificate used to generate the digital signature of a token from the identity provider.
A commercial certificate in the certificate chain does not have the "Access Method=Certification Authority Issuer" extension, which includes a link to the immediate parent certificate. For more information about ACS error codes, see ACS Error Codes.
ACS cannot retrieve the intermediate certificates from the root certification authority to verify the trust chain.
The ACS50017 typically appears as part of a comprehensive error message that is likely to include the ACS50008 error message.
ACS20001: An error occurred while processing a WS-Federation sign-in Inner message: ACS50008 : SAML token is invalid ACS50017: Certificate validation failed for certificate '<Certificate subject name>' issued by '<Certificate issuer name>'. StatusInformation: 'A certificate chain could not be built to a trusted root authority.
'. X509ChainStatusFlags: 'PartialChain'
ACS requires that commercial certificates acquired from a trusted certification authority include an "Authority Info Access" with "Access Method=Certification Authority Issuer" extension. The extension value must include a URL that links to a publicly available downloadable copy of its parent certificate (.crt). This requirement applies to every certificate in the certificate chain, except for the root certificate and its immediate child certificate. ACS returns the ACS50017 error if these conditions are not met.
This code shows the format of the Certification Authority Issuer extension for a fictitious certificate.
Authority Info Access Access Method=Certification Authority Issuer (184.108.40.206.220.127.116.11.9) Alternative Name: URL=http://pki.fabrikam.org/Certificate/Fabrikam_RCA.crt
ACS downloads and caches certificates in an intermediate certificate store on the ACS virtual machines (VM). The intermediate certificate remains available on the VM until the VM is recycled. The cache improves performance and allows ACS to access the intermediate certificate even when network issues prevent it from contacting the root certification authority.
ACS returns the ACS50017 error when an entry for the certificate is not found in the intermediate certificate store (cache) on the VM and a network call to the root certification authority fails. The ACS50017 error can occur intermittently if the Windows Aure load-balancer directs an ACS client to an ACS VM that has not yet cached the certificate for the identity provider.
Use any of the following methods to resolve the problem and prevent a recurrence of the error.
If there is a problem with a commercial certificate in the certificate chain, you can substitute a self-signed certificate for the commercial certificate. For more information, see Certificates and Keys.
If a certificate in the certificate chain does not include the required "Access Method=Certification Authority Issuer" extension, or the extension does not includes a URL, or the URL does not link to a publicly available copy of the parent certificate, you need to replace the certificate.
If the certificate has all of the required elements, but ACS cannot acquire it after three attempts, the operation might be timing out due to temporary network conditions or a problem at the certification authority server. The certificate provider might be able to improve the performance of certificate acquisition.
Retry the request. If the load balancer directs the request to a VM that has the cached certificate or a connectivity issue that prevented access to the certification authority is resolved, requests that previously failed will succeed.