Configuring ASP.NET MVC 4 to work with Azure's ACS and Microsoft's new System.IdentityModel.Tokens.Jwt Library

Question

How do you integrate version 1.0.0 of the new JWT handler library (System.IdentityModel.Tokens.Jwt) into a ASP.NET MVC 4 application to process the Azure's JWT token from ACS?

I'm receiving the following error when I try to run my application:

[SecurityTokenValidationException: Jwt10329: Unable to validate signature, Configuration.IssuerTokenResolver.ResolveToken returned null. jwt.Header.SigningKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 2, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause ) '.] System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(JwtSecurityToken jwt) +1275
System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(JwtSecurityToken jwt) +113
System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(SecurityToken token) +339
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +73
System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +120
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +493
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +364
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69

My web.config is configured as such:

<system.identityModel>

    <identityConfiguration>
      <audienceUris>
        <add value="http://127.0.0.1:81/" />
      </audienceUris>

      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
                  <add thumbprint="PRIVATEKEY"
                     name="https://CUSTOM.accesscontrol.windows.net/" />
        </trustedIssuers>
      </issuerNameRegistry>

      <securityTokenHandlers>
        <add type="System.IdentityModel.Tokens.JwtSecurityTokenHandler, System.IdentityModel.Tokens.Jwt" />
        <securityTokenHandlerConfiguration>
          <certificateValidation certificateValidationMode="PeerTrust" />
        </securityTokenHandlerConfiguration>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>

    </identityConfiguration>

  </system.identityModel>

  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="false" />
      <wsFederation passiveRedirectEnabled="false" issuer="https://staging.accesscontrol.windows.net/v2/wsfederation" realm="http://127.0.0.1:81/" requireHttps="false" />
    </federationConfiguration>

  </system.identityModel.services>

I have setup Azure ACS to return a JWT token and have set the correct security thumbnail in the web.config, but I am stumped why this error is happening. Any insights?

Answer 1

I ran into the same issue. With JWT the web app needs to know something about the issuer in order to validate the token. The X509 certificate is missing from the JWT and needs to be available in the certificate store. Vittorio B. describes the issue and the steps to address it here in the 'Using the JWT Handler in WIF Applications' section.

Answer 2

I was able to resolve the issue by creating a new x.509 certificate and uploading it to Azure ACS as my primary X.509 certificate and then installing it on my local machine's credential store.

I followed these instructions to create the certificate:

http://blogs.msdn.com/b/cclayton/archive/2012/03/21/windows-azure-and-x509-certificates.aspx

I used the makecert command to generate the certificate (make sure to add your own namespace)

makecert.exe -r -pe -a sha1 -n "CN=YOURNAMESPACE.accesscontrol.windows.net" -ss My -sr CurrentUser -len 2048 -sky exchange -sy 24

I then exported the certificate as both a PFX and CER file, using certmgr.mcs.

I imported the PFX file into my Azure ACS (using the management portal). Once this was completed I copied the new thumbnail and pasted it over the old value in my web.config file

Finally, I installed the CER file into my certificate store as documented in this blog post:

http://www.cloudidentity.com/blog/2012/11/20/introducing-the-developer-preview-of-the-json-web-token-handler-for-the-microsoft-net-framework-4-5-2/

The text of interest in the above blog post is the following text:

.CER. Double-click on the file, hit the “Install Certificate…” button, choose Local Machine, Trusted People, and you’re in business.

Everything now works. Hope this works for you too. IF you need more help just ask and I will try to point in you in the right direction