The purpose of this blog to present a couple of error messages I ran into during setting up a Single Sign-on from Active Directory to a web application using Windows Azure Access Control Service(ACS).
I configured my Microsoft Active Directory Federation Services(AD FS) 2.0 server as an Identity Provider and setup my web application as a relying party application in ACS.
http://msdn.microsoft.com/en-us/library/windowsazure/gg429779.aspx and http://msdn.microsoft.com/en-us/library/windowsazure/gg185961.aspx are good references for this.
I am using a self-signed certificate in ACS for Token Signing and I configured the certificate in the management portal for my ACS namespace as shown below.
Image may be NSFW.
Clik here to view.![clip_image001[4]](http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-57-80-metablogapi/2625.clip_5F00_image001_5B00_4_5D005F00_thumb.png "clip_image001[4]")
I added the necessary sections in the <system.identityModel> section of the web.config file for the web application to integrate with ACS.
Now when I run my web application, I get redirected to the login page from ACS and I select my ADFS identity provider to login and provide credentials for my AD user and I get this error:
SecurityTokenException: ID4175: The issuer of the security token
was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the
IssuerNameRegistry to return a valid name for this issuer.]
System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)
Since I am using a self-signed certificate, I add the following to my <identityConfiguration> section within <system.identityModel> to get past the error.
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://imtiazhnamespace.accesscontrol.windows.net/">
<keys>
<add thumbprint="9DFF02F5DF0F9346CA9E9EFA7BF7D14BF99DE1EA" />
</keys>
<validIssuers>
<add name="https://imtiazhnamespace.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
Now when I run the application, I get the following error, which got me stumped, because the thumbprint in my web.config does match the thumbprint of my token signing certificate in ACS.
SecurityTokenValidationException: WIF10201: No valid key mapping
found for securityToken:
'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://imtiazhnamespace.accesscontrol.windows.net/'.]
System.IdentityModel.Tokens.Saml2SecurityTokenHandler.
ValidateToken(SecurityToken token)
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.
ValidateToken(SecurityToken token)
System.IdentityModel.Services.TokenReceiver.
AuthenticateToken(SecurityToken token, Boolean ensureBearerToken,
String endpointUri)
System.IdentityModel.Services.WSFederationAuthenticationModule.
SignInWithResponseMessage(HttpRequestBase request)
System.IdentityModel.Services.WSFederationAuthenticationModule.
OnAuthenticateRequest(Object sender, EventArgs args)
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.
IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)
It turned that when I pasted the thumbprint value in visual studio from the certificates snap-in, an extra (invisible) Unicode character got copied and so the certificate’s thumbprint did not match.
The following KB that talks about it. I tried saving in notepad and it does report that the document contains unicode characters.
![clip_image002[4]](http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-57-80-metablogapi/0027.clip_5F00_image002_5B00_4_5D005F00_thumb.png "clip_image002[4]")
I then deleted the first invisible character and got it to work.
I could have also copied the thumbprint from the Azure management portal(the first snapshot above) and not run into this, but I happened to have the same certificate installed on my web server, so I chose to copy from the MMC and inadvertently spent some time troubleshooting it :)
Clik here to view.