Getting AADSTS50017 error at login after setting up User CBA

Question

Hi, we are trying to setup and deploy user CBA (with DigiCert as our CA). We are successful with setting up Device CBA, but having issues setting up User CBA. We followed the steps that was provided by Microsoft, but encounter the error AADSTS50017 when our test ID is trying to login on a browser using CBA.

We know that the error is stating the following, but we have no idea how to go about to resolve this as it seems that our settings are all correct.

CertificateValidationFailed - Certification validation failed, reasons for the following reasons:

• Cannot find issuing certificate in trusted certificates list
• Unable to find expected CrlSegment
• Cannot find issuing certificate in trusted certificates list
• Delta CRL distribution point is configured without a corresponding CRL distribution point
• Unable to retrieve valid CRL segments because of a timeout issue
• Unable to download CRL

We're working with Digicert but even they are saying our settings looks to be correct, so we're not sure what else to do here.

Any suggestions?

Answer 1

@Suolon Hu Thank you for reaching out to us, could you export the user cert to a .cer file and use certutil to try and verify if all the tests for certificate are getting passed or not.

certutil –v –verify –urlfetch cert.cer

Also request you to check if all certificates in chain are added to certificate authorities trust in the Azure portal.

Also do check if the CRL is configured correctly or not.

Let me know if you have any further questions, feel free to post back.

Answer 2

If this happens to you with Microsoft Cloud PKI and Certificate Based Authentication, make sure you've added the Issuing CA if you have one to the Entra Certificate Authorities page. This error (50017) can pop up if you've forgotten to do that, and Cloud PKI auto creates the Root CA but not the Issuing CA.