If you have ever had to manually edit the FederationMetadata.xml file, you may encounter a Digest Verification Error message while attempting to use the modified file with the Federation Utility.
The root cause of this is that the FederationMetadata.xml file is signed with a Digital Signature to prevent tampering of the file. Therefore, when you manually edit the file, the digital signature hash value will not match the original hash value contained in the file thus throwing the Digest Verification Error/Exception.
One of the solutions to resolving this problem is provided here: http://blogs.windowsclient.net/anshulee/archive/2010/09/16/federation-metadata-generator.aspx
You can basically remove the element beginning with ds:Signature and then run it through the Federation Utility wizard again.
Alternatively, you can completely re-generate the FederationMetadata.xml file as well using the Federation Metadata Generator tool.
However, a better alternative is to simply use the STS Federation Metadata Editor tool that can be downloaded from here: http://stsmetadataeditor.codeplex.com/
You can then manually remove the ds:Signature element and then Load the Metadata into the editor and save the modified FederationMetadata.xml file.
In addition, the latest Source Code changeset (changeset #96419) for this tool will automatically remove this element for you if a Cryptographic Exception is thrown, thereby allowing you to re-load the file, make your changes and save the new file!
The root cause of this is that the FederationMetadata.xml file is signed with a Digital Signature to prevent tampering of the file. Therefore, when you manually edit the file, the digital signature hash value will not match the original hash value contained in the file thus throwing the Digest Verification Error/Exception.
One of the solutions to resolving this problem is provided here: http://blogs.windowsclient.net/anshulee/archive/2010/09/16/federation-metadata-generator.aspx
You can basically remove the element beginning with ds:Signature and then run it through the Federation Utility wizard again.
Alternatively, you can completely re-generate the FederationMetadata.xml file as well using the Federation Metadata Generator tool.
However, a better alternative is to simply use the STS Federation Metadata Editor tool that can be downloaded from here: http://stsmetadataeditor.codeplex.com/
You can then manually remove the ds:Signature element and then Load the Metadata into the editor and save the modified FederationMetadata.xml file.
In addition, the latest Source Code changeset (changeset #96419) for this tool will automatically remove this element for you if a Cryptographic Exception is thrown, thereby allowing you to re-load the file, make your changes and save the new file!
Could it possible that digital signature Microsoft could be corrupted in such a way that it pretends to be preventing the tampering but actually it doesn't?
ReplyDelete