A certificate has been issued to the wrong site

  • Article

Applies To: Windows Server 2003 R2

This problem typically occurs when you are attempting to connect to a Web site that is configured to use Active Directory Federation Services (ADFS) for single-sign-on (SSO) authentication and authorization. For this problem, the user might see error messages, as follows:

  • If the resource Federation Service certificate name does not match the resource Federation Service host name, “The page cannot be displayed” error message appears.

  • If either the account Federation Service certificate name or the Web server certificate name does not match the appropriate Federation Service host name, the following Internet Explorer warning appears: "The name on the security certificate is invalid or does not match the name of the site."

Cause

A Secure Sockets Layer (SSL) server authentication certificate Uniform Resource Locator (URL) does not match the appropriate URLs, as follows:

  • The Federation Service endpoint URL that is configured in any of the following:

    • The account Federation Service

    • The resource Federation Service

    • The Web server

  • The Federation Service URL in the ADFS Web Agent

Solution

Perform the following checks to determine where an incorrect URL exists.

  • Verify the DNS Name in the Server Authentication Certificate

  • Verify the Federation Service URL in the ADFS Web Agent

Verify the DNS Name in the Server Authentication Certificate

Use the following procedure to verify that the Domain Name System (DNS) names in the SSL server authentication certificates for account and resource federation servers match the DNS names in the Federation Service endpoint URL for the respective account and resource Federation Services.

Perform the following procedure on a federation server in both the account and resource Federation Services.

To verify the DNS name in the server authentication certificate for a federation server

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Trust Policy, and then click Properties.

  3. Under Federation Service endpoint URL, note the DNS name in the first portion of the URL, and then click Cancel.

  4. Open the server authentication certificate (ServerName.cer) for the federation server.

  5. Make sure the DNS name in Issued to is the same as the DNS name in the Federation Service endpoint URL in step 3. If the names do not match, do one of the following:

    • If the Federation Service endpoint URL is incorrect, change the value.

    • If the Issued to value in the certificate is incorrect, remove the current certificate, and then request and install a new SSL server authentication certificate using the correct DNS name.

Perform the following procedure on a Web server that is running an ADFS Web Agent.

To verify the DNS name in the server authentication certificate for a Web server

  1. Click Start, point to Administrative Tools, and then click Internet Information Services.

  2. Right-click Web Site, and then click Properties.

  3. On the Directory Security tab, under Secure Communications, click View Certificate.

  4. Make sure that the DNS name in Issued to is the same as the DNS name of the Web server.

  5. If the names do not match, remove the current certificate, and then request and install a new SSL server authentication certificate using the correct DNS name.

For information about how to request and install SSL server authentication certificates, see Public Key Infrastructure for Windows Server 2003 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=19936).

Verify the Federation Service URL in the ADFS Web Agent

Use the following procedure to make sure that the DNS name in the Federation Service URL on the Web server that is running the ADFS Web Agent matches the DNS name in the Federation Service endpoint URL for the resource partner Federation Service.

Check the Federation Service endpoint URL value for the resource Federation Service that you noted in the preceding procedure against the Federation Service URL that is configured in the ADFS Web Agent on the Web server. The DNS names in these two URLs must match exactly.

To verify the Federation Service URL in the ADFS Web Agent

  1. To check the ADFS Web Agent in IIS (for Windows NT token-based applications):

    1. On the Web server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2. Double-click YourServerName (local computer), right-click Web Sites, and then click Properties.

    3. On the ADFS Web Agent tab, under Federation Service URL, verify that the URL path specifies https://DNSNameOfResourcePartner/adfs/fs/FederationServerService.asmx.

    4. Verify that the DNS name in the first portion of the URL matches the DNS name in Federation Service endpoint URL in step c.

  2. To check the ADFS Web Agent in the Web.config file (for claims-aware applications):

    1. In Notepad or another text editor, open the Web.config file that is located in the application folder on the Web server.

    2. Search for <fs>.

    3. Verify that the URL path specifies https://DNSNameOfResourcePartner/adfs/fs/FederationServerService.asmx.

    4. Verify that the DNS name in the first portion of the URL matches the DNS name in Federation Service endpoint URL in step c.

  3. If the path is incorrect or if the DNS name does not match the name in Federation Service endpoint URL, either change the Federation Service URL as needed in the ADFS Web Agent, or change the Federation Service endpoint URL in the resource Federation Service.

See Also

Concepts

Change the Federation Service endpoint URL
Set the Federation Service URL for a Windows NT token-based application
Set the Federation Service URL for a claims-aware application