Last post Jan 09, 2014 10:41 PM by BrockAllen
Jan 08, 2014 08:36 PM|RahmanHadi|LINK
I need your help on how to configure the MVC application so it can accept the encrypted SAML token return by ADFS.
As background, I use ADFS as an identity provider in MVC web app and it works well whenever I register the MVC app as relying party without encryption certificate.
After I add encryption certificate in "Relying party" of ADFS then exception said ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier
I tried to change the web.config
<certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=xxx.xxxx.com" />
but it still doesn't work.
Jan 09, 2014 12:07 AM|BrockAllen|LINK
Do you have read access to the private key? This is a common configuration problem.
Jan 09, 2014 09:51 AM|RahmanHadi|LINK
Thanks to reply it. yes I am sure that it has access to private key of certificate that I put in ADFS - Relying Party - encryption tab, even I give everyone access to both of them in the RP server and ADFS server. here is web.config I had andalso additional
error detail, could you please review? Thanks.
<add value="https://DevServer.com/Tutorial/" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
<add name="http://adfs-dev.com/adfs/services/trust" />
<certificateValidation certificateValidationMode="None" />
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://adfs-dev.com/adfs/ls/" realm="https://DevServer.com/Tutorial/" requireHttps="false" />
<certificateReference x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" storeLocation="LocalMachine" />
Additional Error Info:
Ensure that the SecurityTokenResolver is populated with the required key.
at System.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)
at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration)
Jan 09, 2014 10:17 AM|BrockAllen|LINK
Well, what I meant was -- does the RP have access to the private key on its machine (not the ADFS machine)? The STS (ADFS) only needs access to the public key (and thus the .cer you configured in ADFS) because the token is being encrypted with the RP's public
key. As such, the RP when it gets the token need to decrypt it and it needs the private key from the pfx you installed into the certificate store on the RP's machine. And in there the RP's idenitty needs to have access to the provate key (again, as configured
in the certificate store MMC).
Encryption is really optional, BTW, with WS-Fed, since you already should be using SSL/HTTPS.
Jan 09, 2014 10:05 PM|RahmanHadi|LINK
Yes I did that already. Finally I found the problem... it is funny... the only problem is if we copy the value of thumbprint from "certificate view" and paste that to web.config directly, then it has unknown character "??" infront of the thumbprint. we can
see that if copy the value using notepad++. After I remove it and cleanup the code in Notepad++, then magic happened... everything works... :)
Thanks Allen and also thanks for Guish that post in: http://stackoverflow.com/questions/3242959/cannot-find-a-unique-certificate-that-matches-the-criteria
Jan 09, 2014 10:41 PM|BrockAllen|LINK
Oh yea -- I didn't even think to mention that issue. Yep, we've been asking microsoft to fix that bug for some time... but they don't.