You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/entra/entra-id/app-integration/error-code-aadsts50017-certificate-based-authentication-failed.md
+9-4Lines changed: 9 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.subservice: authentication
14
14
---
15
15
# Error AADSTS50017 - Validation of Given Certificate for Certificate-Based Authentication Failed
16
16
17
-
This article discusses scenarios where the AADSTS50017 error occurs when a user accesses an application or resource with Certificate Based Authentication (CBA).
17
+
This article discusses scenarios where the AADSTS50017 error occurs when a user accesses an application or resource with certificate-based authentication (CBA).
18
18
19
19
## Symptoms
20
20
@@ -30,7 +30,7 @@ When a user tries to access an application or resource with Certificate-Based a
30
30
31
31
2. If you have a non-root Issuing CA (intermediate CA), both intermediate and root CA certificates must be uploaded to the Entra ID CA trusted store.
32
32
33
-
3. In Public Key Infrastructure (PKI), the certificate chain validation process ensures the integrity and authenticity of the certificate chain. Two key identifiers play a crucial role:
33
+
3. In Public Key Infrastructure (PKI), the certificate chain validation process ensures the integrity and authenticity of the certificate chain. Below two key identifiers play a crucial role:
34
34
35
35
**Subject Key Identifier (SKI):** The **SKI** provides a unique identifier for the public key held by the certificate.
36
36
**Authority Key Identifier (AKI):** The **AKI** is used to identify the certificate authority (CA) that issued the certificate.
@@ -39,6 +39,9 @@ When a user tries to access an application or resource with Certificate-Based a
39
39
40
40
It’s possible to check that information by navigating through the details of the user’s certificate and uploaded issuing CAs, as shown on the next pictures:
41
41
42
+
43
+
44
+
42
45
1.**Root CA Certificate:**
43
46
- Has its own SKI.
44
47
- Issues the Intermediate certificates (when applicable).
@@ -51,7 +54,7 @@ It’s possible to check that information by navigating through the details of t
51
54
- Multiple intermediate CAs can exist.
52
55
- Issues the Intermediate certificates (when applicable).
53
56
54
-
3.**End-Entity (User) Certificate:**
57
+
3.**End-Entity (User or Client) Certificate:**
55
58
- Has its own SKI
56
59
- AKI points to the Issuing CA’s SKI.
57
60
@@ -77,9 +80,11 @@ You can verify the policy Object Identifiers (OIDs) for consistency and validity
If any of the certificates are missing Certificate Policies extensions, it is necessary to reissue the Certification Authority (CA) certificate or end user certificate with the appropriate Certificate Policies extensions embedded.
81
86
82
-
For more details about **policy extension and other supported extensions**, please refer to the following article:
87
+
For more details about [policy extension and other supported extensions](/windows/win32/seccertenroll/supported-extensions), please refer to the following article:
0 commit comments