12

I am trying to implement a Simple STS web site alongside my MVC application in a development environment. I was able to get this working properly on my local machine. I would navigate to my MVC app, kicked out to the STS web application, I login, then am redirected back to my MVC app. This is not using AFDS by the way.

When I migrated this to my Development environment, I see similar activity but I get the error below when I login. I have checked about 20 times that my thumbprint in the MVC app is the exact same as the cert.

(The login is working fine as I don't get redirected until the authentication succeeds.)

Any guesses?

Error message I recieve:

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer

web.config from STS website:

<appSettings>
<add key="IssuerName" value="STSTestCert"/>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value=""/>
  </appSettings>

web.config from MVC application:

<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="http://localhost/" />
  </audienceUris>
  <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:57543/mySTS/" realm="http://localhost/" requireHttps="false" />
    <cookieHandler requireSsl="false" />
  </federatedAuthentication>
  <applicationService>
    <claimTypeRequired>
      <!--Following are the claims offered by STS 'http://localhost:57543/mySTS/'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
      <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
    </claimTypeRequired>
  </applicationService>
  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
      <add thumbprint="‎11111" name="http://localhost:57543/mySTS/" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
tereško
  • 58,060
  • 25
  • 98
  • 150
shenn
  • 859
  • 4
  • 17
  • 47

3 Answers3

23

Copying your thumbprint adds hidden unicode characters. Try typing it in.

Matthew J Coffman
  • 312
  • 5
  • 14
5

As MJCoffman mentioned it is most probably because you copied the thumbprint with hidden character. You can find more details here.

k0stya
  • 4,267
  • 32
  • 41
  • 1
    From the given link: "When using certificates snap-in and certificate GUI, do NOT copy "extra space" that appears before the certificate thumbpint from the Richedit control." – arni Oct 07 '15 at 13:42
0

In my case the problem was also that copying the thumbprint and pasting it was adding some characters that a regular text editor do not show. I found the following instructions very useful to remove the special characters (look #4). posted by Edwin Guru Singh

Do this to get rid of the special characters using Visual Studio:

  1. Close the web.config
  2. Right-click on it and open it with binary editor
  3. Find where the thumbprint is and delete additional characters (everything that is not a number, usually dots).
  4. Save and try again, it should work.
Miguel
  • 1,575
  • 1
  • 27
  • 31