Errors ID4175 and WIF10201 in context of ACS
The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).
I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.
https://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and https://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.
I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.
![clip_image001[4]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/57/80/metablogapi/5482.clip_image001%5B4%5D.png "clip_image001[4]")
I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.
Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:
SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.] System.IdentityModel.Tokens.Saml2SecurityTokenHandler. ValidateToken(SecurityToken token) System.IdentityModel.Tokens.SecurityTokenHandlerCollection. ValidateToken(SecurityToken token) System.IdentityModel.Services.TokenReceiver. AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) System.IdentityModel.Services.WSFederationAuthenticationModule. SignInWithResponseMessage(HttpRequestBase request) System.IdentityModel.Services.WSFederationAuthenticationModule. OnAuthenticateRequest(Object sender, EventArgs args) System.Web.SyncEventExecutionStep.System.Web.HttpApplication. IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://imtiazhnamespace.accesscontrol.windows.net/">
<keys>
<add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />
</keys>
<validIssuers>
<add name="https://imtiazhnamespace.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.
SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.] System.IdentityModel.Tokens.Saml2SecurityTokenHandler. ValidateToken(SecurityToken token) System.IdentityModel.Tokens.SecurityTokenHandlerCollection. ValidateToken(SecurityToken token) System.IdentityModel.Services.TokenReceiver. AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) System.IdentityModel.Services.WSFederationAuthenticationModule. SignInWithResponseMessage(HttpRequestBase request) System.IdentityModel.Services.WSFederationAuthenticationModule. OnAuthenticateRequest(Object sender, EventArgs args) System.Web.SyncEventExecutionStep.System.Web.HttpApplication. IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.
The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.
https://support.microsoft.com/kb/2023835
![clip_image002[4]](https://msdntnarchive.z22.web.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/57/80/metablogapi/0083.clip_image002%5B4%5D.png "clip_image002[4]")
I then deleted the first invisible character and got it to work.
I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it :)
Comments
- Anonymous
September 05, 2014
Thank you@!!!! I couldn't figure out what was wrong with mine and it was an invisible character in the thumbprint copied from the certificate details screen. - Anonymous
September 25, 2014
Thank you very much :) - Anonymous
December 23, 2014
I had the same issue, but unfortunately updating the Thumbprint does not help me. I added it manually and confirmed that the thumbprint is correct but no joy. Funny thing is that at one point this server worked, but it has gone dead. I also confirmed that the certificate is valid and it is just fine. The certificate is from a public trusted authority and is good until 2016. Know of anything else that might cause this issue?- Anonymous
December 12, 2016
Did you enter the thumbprint with uppercase letters ?? it will fail with lowercase letters (even if the thumbprint otherwise matches)
- Anonymous