Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).
I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.
https://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and https://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.
I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.
![clip_image001[4]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/57/80/metablogapi/5482.clip_image001%5B4%5D.png "clip_image001[4]")
I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.
Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:
SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.] System.IdentityModel.Tokens.Saml2SecurityTokenHandler. ValidateToken(SecurityToken token) System.IdentityModel.Tokens.SecurityTokenHandlerCollection. ValidateToken(SecurityToken token) System.IdentityModel.Services.TokenReceiver. AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) System.IdentityModel.Services.WSFederationAuthenticationModule. SignInWithResponseMessage(HttpRequestBase request) System.IdentityModel.Services.WSFederationAuthenticationModule. OnAuthenticateRequest(Object sender, EventArgs args) System.Web.SyncEventExecutionStep.System.Web.HttpApplication. IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://imtiazhnamespace.accesscontrol.windows.net/">
<keys>
<add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />
</keys>
<validIssuers>
<add name="https://imtiazhnamespace.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.
SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.] System.IdentityModel.Tokens.Saml2SecurityTokenHandler. ValidateToken(SecurityToken token) System.IdentityModel.Tokens.SecurityTokenHandlerCollection. ValidateToken(SecurityToken token) System.IdentityModel.Services.TokenReceiver. AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) System.IdentityModel.Services.WSFederationAuthenticationModule. SignInWithResponseMessage(HttpRequestBase request) System.IdentityModel.Services.WSFederationAuthenticationModule. OnAuthenticateRequest(Object sender, EventArgs args) System.Web.SyncEventExecutionStep.System.Web.HttpApplication. IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.
The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.
https://support.microsoft.com/kb/2023835
![clip_image002[4]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/57/80/metablogapi/0083.clip_image002%5B4%5D.png "clip_image002[4]")
I then deleted the first invisible character and got it to work.
I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it :)
Comments
- Anonymous
September 05, 2014
Thank you@!!!! I couldn't figure out what was wrong with mine and it was an invisible character in the thumbprint copied from the certificate details screen. - Anonymous
September 25, 2014
Thank you very much :) - Anonymous
December 23, 2014
I had the same issue, but unfortunately updating the Thumbprint does not help me. I added it manually and confirmed that the thumbprint is correct but no joy. Funny thing is that at one point this server worked, but it has gone dead. I also confirmed that the certificate is valid and it is just fine. The certificate is from a public trusted authority and is good until 2016. Know of anything else that might cause this issue?- Anonymous
December 12, 2016
Did you enter the thumbprint with uppercase letters ?? it will fail with lowercase letters (even if the thumbprint otherwise matches)
- Anonymous