Share via

Windows Identity Foundation (WIF): How to Change Certificate Chain Validation Settings for Web Applications

  • Article

Summary

When you run FedUtil.exe or Federated Extensions for SharePoint 3.0, you have the option of turning on/off certificate chain validation for the token-signing certificate in the GUI. You may, however, decide at a later date that you wish you would have turned it off or maybe you need to turn it back on, but you're not sure what the configuration would look like in the WIF RP application's web.config. Here is what you need:

<certificateValidation certificateValidationMode= "None" />

 

This is typically placed directly after the </issuerNameRegistry> tag and before the </service> tag like this:

........

</issuerNameRegistry>

<certificateValidation certificateValidationMode= "None" />

</service>

</microsoft.identityModel>

</configuration>

........

 

The default setting for validation when it is enabled is:

<certificateValidation certificateValidationMode= "CheckChainExcludeRoot" />

 

*Note: You do not need an IISReset after this change since any write to the web.config will cause a recompile at runtime.