Errors ID4175 and WIF10201 in context of ACS


The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).

I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.

http://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and http://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.

I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.

clip_image001[4]

I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.

Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:

SecurityTokenException: ID4175: The issuer of the security token 
was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the
IssuerNameRegistry to return a valid name for this issuer.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)

Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry,  System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">

  <authority name="https://imtiazhnamespace.accesscontrol.windows.net/">

  <keys>

       <add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />

  </keys>

<validIssuers>

  <add name="https://imtiazhnamespace.accesscontrol.windows.net/" />

</validIssuers>

</authority>

</issuerNameRegistry>

</identityConfiguration>

</system.identityModel>

Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.

SecurityTokenValidationException: WIF10201: No valid key mapping 
found for securityToken:
'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)

It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.

The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.

http://support.microsoft.com/kb/2023835

clip_image002[4]

I then deleted the first invisible character and got it to work.

I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it 🙂

Comments (3)

  1. Anonymous says:

    Thank you@!!!!  I couldn't figure out what was wrong with mine and it was an invisible character in the thumbprint copied from the certificate details screen.

  2. Anonymous says:

    Thank you very much 🙂

  3. Anonymous says:

    I had the same issue, but unfortunately updating the Thumbprint does not help me.  I added it manually and confirmed that the thumbprint is correct but no joy.  Funny thing is that at one point this server worked, but it has gone dead.  I also confirmed that the certificate is valid and it is just fine.  The certificate is from a public trusted authority and is good until 2016.  Know of anything else that might cause this issue?