You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Error AADSTS50017 - Validation of Given Certificate for Certificate-Based Authentication Failed
16
+
17
+
This article discusses scenarios where the AADSTS50017 error occurs when a user accesses an application or resource with Certificate Based Authentication (CBA).
18
+
19
+
## Symptoms
20
+
21
+
When a user tries to access an application or resource with Certificate-Based authentication ( CBA) the sign-in process fails, and the following error message is displayed:
22
+
23
+
> AADSTS50017: Validation of given certificate for certificate based authentication failed.
24
+
25
+
## Scenario 1: Certificate chain failures due to missing CA Certificates in store or validation failures with SKI and AKI Values
26
+
27
+
## Solution :
28
+
29
+
1. Check if issuing certificate was correctly uploaded to the trusted certificates list. A certificate chain consists of multiple certificates linked together. The end-user’s certificate can be issued by a root CA, or by a non-root CA (a.k.a. intermediate CA).
30
+
31
+
2. If you have a non-root Issuing CA (intermediate CA), both intermediate and root CA certificates must be uploaded to the Entra ID CA trusted store.
32
+
33
+
3. In Public Key Infrastructure (PKI), the certificate chain validation process ensures the integrity and authenticity of the certificate chain. Two key identifiers play a crucial role:
34
+
35
+
**Subject Key Identifier (SKI):** The **SKI** provides a unique identifier for the public key held by the certificate.
36
+
**Authority Key Identifier (AKI):** The **AKI** is used to identify the certificate authority (CA) that issued the certificate.
37
+
38
+
**1.1)** Check the SKI of the user’s certificate and confirm if the AKI matches any of the intermediate or root CAs it was uploaded to the trusted store.
39
+
40
+
It’s possible to check that information by navigating through the details of the user’s certificate and uploaded issuing CAs, as shown on the next pictures:
41
+
42
+
1.**Root CA Certificate:**
43
+
- Has its own SKI.
44
+
- Issues the Intermediate certificates (when applicable).
45
+
- The Root Certificate will not contain the Authority Key Identifier (AKI) field
46
+
47
+
2.**Issuing or intermediate CA Certificate (when applicable):**
48
+
- AKI points to the Root CA’s SKI.
49
+
- Has its own SKI that will match the AKI on the user’s certificate.
50
+
- Issues the user’s Certificate.
51
+
- Multiple intermediate CAs can exist.
52
+
- Issues the Intermediate certificates (when applicable).
53
+
54
+
3.**End-Entity (User) Certificate:**
55
+
- Has its own SKI
56
+
- AKI points to the Issuing CA’s SKI.
57
+
58
+
**1.2)** If there is no match, the missing CA certificates or the user’s certificate should be changed accordingly. Details under [Configure Certification Authorities using the Microsoft Entra Admin Center ](/entra/identity/authentication/how-to-certificate-based-authentication#configure-certification-authorities-using-the-microsoft-entra-admin-center).
59
+
60
+
61
+
## Scenario 2: Invalid CAs Where the Issuer Does Not Carry Valid Extension Identifiers.
62
+
63
+
The AADSTS50017 error may also occur if any certificates in the chain are missing valid extension identifiers, such as certificate policy extensions.
64
+
65
+
2.1) Validate the Certificate Policies extensions for all certificates within the certificate chain, including user certificates, intermediate Certification Authority (CA) certificates, and the root CA certificate. Ensure that the Certificate Policies extension and its Object Identifiers (OIDs) are consistent and valid across the entire chain.
66
+
67
+
68
+
69
+
You can verify the policy Object Identifiers (OIDs) for consistency and validity by retrieving the relevant certificates in chain and validating them as shown below:
70
+
71
+
72
+
73
+
74
+
75
+
76
+
77
+
78
+
79
+
80
+
If any of the certificates are missing Certificate Policies extensions, it is necessary to reissue the Certification Authority (CA) certificate or end user certificate with the appropriate Certificate Policies extensions embedded.
81
+
82
+
For more details about **policy extension and other supported extensions**, please refer to the following article:
83
+
84
+
## AADSTS error code reference
85
+
86
+
For a full list of authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/entra/identity-platform/reference-error-codes). To investigate individual errors, search at https://login.microsoftonline.com/error.
87
+
88
+
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
0 commit comments