Share via

Using AD FS to implement OIDC authentication, an 'IDX10500: Signature validation failed.' error occurred when access SharePoint with AccessToken

Hugo 0 Reputation points
2025-05-22T07:29:39.3066667+00:00

Hi.
I am implementing the integration between SharePoint Subscription and AD FS.

I have installed the SharePoint Subscription version and configured AD FS as follows.

https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-adfs

I also imported the AD FS signing certificate into the SharePoint Subscription server and the Windows root certificate.

https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-adfs#step-3-configure-sharepoint-to-trust-the-identity-providers

The result obtained by 'Get-SPTrustedRootAuthority' after executing the above steps is as follows.

Certificate : [Subject]

                            CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US

                          [Issuer]

                            CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US

                          [Serial Number]

                            CD1B1D15388F9DBB438116DEDCB936F6

                          [Not Before]

                            2025/05/07 1:10:03

                          [Not After]

                            9999/01/01 9:00:00

                          [Thumbprint]

                            D61DF5ACA3F74D8F9476C9DD67B0C8A3D5039478

Name : local

TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority

DisplayName : local

Id : 2f734093-d095-4eb1-a069-4fc0d3a87c78

Status : Online

Parent : SPTrustedRootAuthorityManager

Version : 2084

DeploymentLocked : False

Properties : {}

Farm : SPFarm Name=SharePoint_Config

UpgradedPersistedProperties : {}

Certificate : [Subject]

                            CN=ADFS Signing - WIN-JM6VJ2RTE4E.awmspm.local

                          [Issuer]

                            CN=ADFS Signing - WIN-JM6VJ2RTE4E.awmspm.local

                          [Serial Number]

                            191836AE55AD83904B16F2F0E4A20D30

                          [Not Before]

                            2025/05/08 8:32:35

                          [Not After]

                            2026/05/08 8:32:35

                          [Thumbprint]

                            06A3F7DF8D8AE66930742059E2C00EC91AF24347

After the configuration, SharePoint webui can be authenticated and logged in via AD FS.

Using PostMan, I can also obtain an authentication code from AD FS, and then get the AccessToken/RefreshToken and IDToken from the authentication code.

However, when trying to access SharePoint resources using the AccessToken or IdToken, the following error occurs.

SPApplicationAuthenticationModuleV2: Failed to authenticate request, unknown error.

Exception details: System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 2, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x06A3F7DF8D8AE66930742059E2C00EC91AF24347), Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause ) ', token: '{"typ":"JWT","alg":"RS256","x5t":"BqP3342K5mkwdCBZ4sAOyRryQ0c","kid":"BqP3342K5mkwdCBZ4sAOyRryQ0c"}.{"aud":"microsoft:identityserver:00000003-0000-0ff1-ce00-000000000000","iss":"http://WIN-JM6VJ2RTE4E.awmspm.local/adfs/services/trust","iat":1747786941,"nbf":[1747786941,"0"],"exp":1747790541,"email":"administrator@awmspm.local","role":["awmspm.local\Domain Admins","awmspm.local\Domain Users","awmspm.local\Schema Admins","awmspm.local\Enterprise Admins","awmspm.local\Group Policy Creator Owners"],"apptype":"Public","appid":"00000003-0000-0ff1-ce00-000000000000","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2025-05-20T22:39:22.925Z","ver":"1.0"}'.

 場所 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)

 場所 Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandlerV2.ValidateSignature(String tokenString, TokenValidationParameters validationParameters)

 場所 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken)

 場所 Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token)

 場所 Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityTokenHandlerV2.ValidateToken(String token, TokenValidationParameters validationParameters,

...curityToken& validatedToken)

 場所 Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityTokenHandlerV2.ValidateToken(SecurityToken token)

 場所 Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModuleV2.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContextV2& tokenContext, SPIdentityProofToken& identityProofToken)

 場所 Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModuleV2.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModuleV2 fam, String& tokenType)

 場所 Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModuleV2.AuthenticateRequest(Object sender, EventArgs e)

The thumbprint '0x06A3F7DF8D8AE66930742059E2C00EC91AF24347' in the error is the thumbprint of the AD FS signing certificate.

If this error still occurs, is there a problem with the certificate settings on SharePoint?

Please help me fix it, thankyou!

Microsoft 365 and Office SharePoint Development
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.