Using WCF STS Bootstrap token in SharePoint 2010 (thinktecture identity server as sts and ActAs)

Question

Has anybody used bootstrap tokens inside SharePoint 2010 when using a custom STS. I've been struggling with this for a few hours now. Whenever I issue the RST I get the following error message:

ID4257: X.509 certificate 'CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US' validation failed by the token handler. 

I'm using SharePoint 2010 with Thinktecture Identity Server as my STS, and am trying to call a WCF service with delegation. I have this all working fine, but I just cant get delegation working using the bootstrap token.

I'm guessing that SharePoint must be encrypting the bootstrap token somehow?! Any help or pointers?

Answer 1

This was partially resolved by adding the SharePoint STS certificate as an encrypting certificate to the sts. Also using SPSecurityContext.SecurityTokenForContext seems to have helped in getting the ActAs token 0 but I'm not 100% convinced I've got it all working yet!

Answer 2

You still can solve this problem by using your own encryption certificate and not Sharepoint STS.

This exception is raised by the SecurityTokenHandler when they try validate the bootstrap token and they find that certificate in the token is not valid(default X509CertificateValidator).

Certificate that will be present in the bootstrap token will be SharePoint Security Token Service

Two ways to solve the problem AFAIK

1. Copy the public part of "SharePoint Security Token Service" certificate to the Cert:LocalMachine\TrustedPeople in STS Machine. You can also write your own certificate validator.

2. Not a good solution for production machine. Set the certificateValidationMode="None" in web.config

http://msdn.microsoft.com/en-us/library/hh598384%28v=vs.110%29.aspx