Microsoft Azure Cloud Integration Engineering

(Compute, Cache, Storage, ACS, Service Bus, WebSites, VMs, SQL Azure, Data Sync, Import Export)

Errors ID4175 and WIF10201 in context of ACS

Errors ID4175 and WIF10201 in context of ACS

  • Comments 1

The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).

I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.

http://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and http://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.

I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.

clip_image001[4]

I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.

Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:

SecurityTokenException: ID4175: The issuer of the security token 
was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the
IssuerNameRegistry to return a valid name for this issuer.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)

Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.

<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry,  System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
  <authority name="https://imtiazhnamespace.accesscontrol.windows.net/">
  <keys>
       <add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />
  </keys>
<validIssuers>
  <add name="https://imtiazhnamespace.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>

Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.

SecurityTokenValidationException: WIF10201: No valid key mapping 
found for securityToken:
'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
   System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
   System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)

It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.

The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.

http://support.microsoft.com/kb/2023835

clip_image002[4]

I then deleted the first invisible character and got it to work.
I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it :)

Comments
  • Thank you@!!!!  I couldn't figure out what was wrong with mine and it was an invisible character in the thumbprint copied from the certificate details screen.

Page 1 of 1 (1 items)
Leave a Comment
  • Please add 7 and 4 and type the answer here:
  • Post