How can I solve expired self-signed certificate errors with Windows Azure Pack?

Fix expired self-signed certificate problems for Windows Azure Pack authentication.

John Savill

June 12, 2015

1 Min Read
How can I solve expired self-signed certificate errors with Windows Azure Pack?

Q. I'm receiving a 500 error connecting to my Windows Azure Pack portals and the Event Log shows a certificate error, how can I fix this?

A. When Windows Azure Pack is installed by default, it uses a self-signed certificate for the authentication sites (tenant and administration). These certificates last for one year. After that time, they are no longer valid and authentication will fail. If you look in the event logs (MgmtSvc-TenantSite and MgmtSvc-AdminSite) you should see error:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10329: Unable to validate signature, Configuration.IssuerTokenResolver.ResolveToken returned null. jwt.Header.SigningKeyIdentifier: 'SecurityKeyIdentifier

The solution is to create new certificates.

This can be done with PowerShell but you need to know the SQL Server, the username and password and the WAP passphrase:

# SQL Server DNS name$Server = "sqlserver.domain.net"# SQL User and Password$userid = "sa"$password = "Password"# PassPhrase which you have defined during install of WAP$PassPhrase = "PassPhrase"$NameSpace = "AuthSite" # Get current signing certificate thumbprint$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint$oldThumbprint = $setting.Value# Remove the old certificate from the global config store$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false# 3. Re-initialize the authentication service to generate a new signing certificate and reconfigureInitialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose$NameSpace = "WindowsAuthSite" # Get current signing certificate thumbprint$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint$oldThumbprint = $setting.Value# Remove the old certificate from the global config store$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false# Re-initialize the authentication service to generate a new signing certificate and reconfigureInitialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose

Note that this would have to be repeated every year. A better approach is to use certificates from your enterprise CA. This is documented at http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like