Sitefinity has added a security check named as the Signing Certificate. It is used to verify the issuer of the authentication token to enhance the safety of the site. But currently, the documentation is missing an important piece of configuration to allow this to work for Azure hosted sites.
With the Sitefinity release 13.2, you will now get a notification if your certificate signing has issues.
If you check out the documentation (as of today), you will find some very simple instructions:
- Navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » SigningCertificate.
- Fill out the fields and make sure the SubjectName field matches the subject name of the certificate.
- Restart Sitefinity CMS after configuring the certificate.
Trouble is there are multiple values to pick and which is appropriate for an Azure-hosted site? I filled in the settings as I thought best but I still had the error and so I logged a ticket with Sitefinity support.
In the end, there is some missing information. On an Azure-hosted site, you need to add a configuration setting.
WEBSITE_LOAD_CERTIFICATES = *
You can see in this Microsoft article where it explains that this setting allows you to access the certificates from code, which is what Sitefinity will be doing.
You will also notice that you can specfiy the certificate name rather than use the wildcard '*' option.
As for the other settings, I have found several combinations worked. But I have gone with is having the certificate store set to 'My' as the article suggests and the store location to 'Local Machine'.
Final note, when updating the settings your Azure site will restart.
Thanks for reading and feel free to comment - Darrin Robertson