Errors ID4175 and WIF10201 in context of ACS

The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).

I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.

https://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and https://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.

I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.

clip_image001[4]

I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.

Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:

 SecurityTokenException: ID4175: The issuer of the security token 
was not recognized by the IssuerNameRegistry.
To accept security tokens from this issuer, configure the 
IssuerNameRegistry to return a valid name for this issuer.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
   ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
   ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
   AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, 
   String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
   SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
   OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
   IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, 
   Boolean& completedSynchronously)

Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry,  System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">

  <authority name="https://imtiazhnamespace.accesscontrol.windows.net/">

  <keys>

       <add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />

  </keys>

<validIssuers>

  <add name="https://imtiazhnamespace.accesscontrol.windows.net/" />

</validIssuers>

</authority>

</issuerNameRegistry>

</identityConfiguration>

</system.identityModel>

Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.

 SecurityTokenValidationException: WIF10201: No valid key mapping 
found for securityToken: 
'System.IdentityModel.Tokens.X509SecurityToken'
and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
   ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
   ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
   AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, 
   String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
   SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
   OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
   IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, 
   Boolean& completedSynchronously)

It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.

The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.

https://support.microsoft.com/kb/2023835

clip_image002[4]

I then deleted the first invisible character and got it to work.

I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it :)