Tuesday, September 15, 2015

WIF : ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

You see this error a lot and there's a zillion entries on the Internet about how to fix it.

This relates to the certificate details in the web.config i.e this entry:

trustedIssuers
          add thumbprint="0659B14B1AB76A495V53998E45986C7610294207" name="http://xxx/adfs/services/trust" /

The normal causes (according to the searches) are:

  • You cannot copy and paste from the "Certificate Details" thumbprint because there are hidden characters
  • You must make the letters all capital
  • You must remove the quotes as well when you copy / paste and then replace them

And some others too ridiculous to mention.

I've found the the first one is the main reason. Copy the thumbprint into something like Notepad, remove the spaces between the two letter / digit groups and then paste into the web.config.

Came across a weird problem recently. I did all the above and still kept getting the error. WTF?

I go back to VS 2010 and run FedUtil. It now suddenly works. I look in the web.config and see another entry. Aha - certificate rollover.

For the period of transition, there are actually two certificates - one primary and one secondary. The safest way is to put both in the web.config. i.e there are two "add thumbprint" entries.

Enjoy!
  

No comments: