Wednesday, April 03, 2013

ADFS : ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry


The full error is:

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

So there I was happily using my claims-enabled application until one fine autumn morning – WHAM – I get the above error.
WTF?
This error means (to quote Common Windows Identity Foundation WS-Federation Exceptions Explained) that:
“Security tokens are signed by the issuer (the IP-STS). This issuer is validated by the relying party so that the RP can be sure the tokens have been issued from a trusted source. The relying party’s WIF configuration contains an <issuerNameRegistry> element where the settings for the issuer’s signature are stored. This exception means that the configuration contained under the issuer name registry does not match the signature of the security token.”
Then I noticed that my ADFS has certificate rollover enabled and yes – you guessed it – my certificates had rolled over over the weekend.
The section in the web.config looks like:
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.
ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, 
Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="xxx" name="http://yyy/adfs/services/trust"/>
        </trustedIssuers>
</issuerNameRegistry>

So you need to get the thumbprint of the new ADFS token-signing primary certificate and update the web-config with it.


Enjoy!

7 comments:

Anonymous said...

This solved my issue in a K2 blackpearl claims environment setup.

You'll find the certificates thumbprint by typing the following in a Windows PowerShell:
Add-PSSnapin Microsoft.Adfs.PowerShell
Get-ADFSCertificate

I also inserted the new certificate's thumbprint into K2HostServer.exe.Config, but I'm not sure if it necessary.

Anonymous said...

Hi Anon,

I'm also configuring Claims for my K2 Blackpearl but did not use ADFS. Form based authentication (LDAP) is working. I already add the entry in xml in K2Hostserver.exe.config but still encountering this error. Hope you can help me on this one. Thank you.

nzpcmad said...

Sorry - I have no experience with using K2 Blackpearl

Jerry Ren said...

hi there,


we encountered the same problem recently. Thank you for your solution.


Just wondering is there any way to automatically handle certificate roll over? I asked our IT guys, they told me there is no way for them to inform us when certificate is about to roll over unless monitor it on yearly basis.

We are going to integrate with many clients in the future, it's going to be such a hassle for me to manually update thumbprint.


Thanks in advance


regards
Jerry

Jerry Ren said...

hi there,


we encountered the same problem recently. Thank you for your solution.


Just wondering is there any way to automatically handle certificate roll over? I asked our IT guys, they told me there is no way for them to inform us when certificate is about to roll over unless monitor it on yearly basis.

We are going to integrate with many clients in the future, it's going to be such a hassle for me to manually update thumbprint.


Thanks in advance


regards
Jerry

nzpcmad said...

http://www.cloudidentity.com/blog/2015/02/05/the-keys-they-are-a-rollin/

Unknown said...

Thank you very much! You save me too much time.

Explained simple and direct. Great!!