none
Error ID4175 and ConfigurationBasedIssuerNameRegistry

    Question

  • I find myself at somewhat of an impass at the moment.  I have an ASP.Net 4.0 app as my RP and a Passive STS based on the sample built by FedUtil, all very simple stuff.

    When I browse to my app I'm redirected to my STS, I can then log on and am sent back to my app, where I'm faced with this error:

    ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

    Easy to fix, I hear you say.  My web config has this section

    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <trustedIssuers>
        <add thumbprint="‎50CAC702313DBD2F86797B2766F2AAE675AF8320" name="PassiveSTS"  />
       </trustedIssuers>
    </issuerNameRegistry>

    That is 100% certian the thumbprint of the cert in the STS (copy and pasted from the certificate MMC).  So I look a bit deeper create my self a custom IssuerNameRegistry, that does nothing more than provide me a place to put breakpoints, so I commented out the above and added

    <issuerNameRegistry type="GT.Sateon.Web.SimpleIssuerRegistery" >
       <trustedIssuers>
          <add thumbprint="50CAC702313DBD2F86797B2766F2AAE675AF8320" name="PassiveSTS" />
       </trustedIssuers>
    </issuerNameRegistry>

     And the Class is

    public class SimpleIssuerRegistery : Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry
    {
       public SimpleIssuerRegistery(XmlNodeList customConfiguration)
          : base(customConfiguration)
       {}

       public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken)
       {
          var ret = base.GetIssuerName(securityToken) ;
          return ret ;
       }

       public override string GetIssuerName(System.IdentityModel.Tokens.SecurityToken securityToken, string requestedIssuerName)
       {   
          var ret = base.GetIssuerName(securityToken, requestedIssuerName);
          return ret;
       }
    }

    Simple stuff.  The kicker is this works!?!  no idea what's different here.  So I started poking arround in side ConfigurationBasedIssuerNameRegistry and end up debugging in here

    public override string GetIssuerName(SecurityToken securityToken)
    {
      if (securityToken == null)
      {
        throw DiagnosticUtil.ExceptionUtil.ThrowHelperArgumentNull("securityToken");
      }
      X509SecurityToken token = securityToken as X509SecurityToken;
      if (token != null)
      {
        string thumbprint = token.Certificate.Thumbprint;
        if (this._configuredTrustedIssuers.ContainsKey(thumbprint)) //Breakpoint here
        {
          return this._configuredTrustedIssuers[thumbprint];
        }
      }
      return null;
    }

    If I open up the immediate window and execute a few commands

    this
    {Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry}
        base {Microsoft.IdentityModel.Tokens.IssuerNameRegistry}: {Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry}
        _configuredTrustedIssuers: Count = 1
        ConfiguredTrustedIssuers: Count = 1

    this._configuredTrustedIssuers.Keys
    Count = 1
        [0]: "‎50CAC702313DBD2F86797B2766F2AAE675AF8320"

    this._configuredTrustedIssuers["50CAC702313DBD2F86797B2766F2AAE675AF8320"]
    'this._configuredTrustedIssuers["50CAC702313DBD2F86797B2766F2AAE675AF8320"]' threw an exception of type 'System.Collections.Generic.KeyNotFoundException'
        base {System.SystemException}: {"The given key was not present in the dictionary."}

    So at this point I'm really stuck, anyone got any ideas?!?  I'm all out!

    Cheers,

    Stephen. 

     

     

     

    Thursday, August 19, 2010 5:40 PM

Answers

  • I had the same problem last week. In my case, I had copied the thumbprint from a certificate details dialog, pasted it into the config file and did a find & replace to remove the spaces.

    I found that if I manually typed the thumbprint the problem went away.

     

     

     


    Dave Moyle Systems Architect (FirstMac Ltd)
    • Marked as answer by swoolhead Friday, August 20, 2010 10:38 AM
    Friday, August 20, 2010 2:28 AM
  • As it turns out, it appears that when I copied and pasted the thumbprint from the certificate MMC, I brought a few extra Unicode chars with me.

     

    System.Text.UTF8Encoding  encoding=new System.Text.UTF8Encoding();

    {System.Text.UTF8Encoding}

        base {System.Text.Encoding}: {System.Text.UTF8Encoding}

        emitUTF8Identifier: false

        isThrowException: false

     

    System.Convert.ToBase64String(encoding.GetBytes (thumbprint))

    "NTBDQUM3MDIzMTNEQkQyRjg2Nzk3QjI3NjZGMkFBRTY3NUFGODMyMA=="

     

    System.Convert.ToBase64String(encoding.GetBytes (this._configuredTrustedIssuers.entries[0].key))

    "4oCO4oCONTBDQUM3MDIzMTNEQkQyRjg2Nzk3QjI3NjZGMkFBRTY3NUFGODMyMA=="

     

    Seems that stuck at the begining are two Left-to-right marks which very kindly displays nothing on screen, and VS removes when you copy and paste within VS.

     

    Delete and retype the start of the thumbprint and the problem has gone away!

     

    Arrgghh!

     

    Stephen.

    • Marked as answer by swoolhead Friday, August 20, 2010 10:41 AM
    Friday, August 20, 2010 10:38 AM

All replies

  • I had the same problem last week. In my case, I had copied the thumbprint from a certificate details dialog, pasted it into the config file and did a find & replace to remove the spaces.

    I found that if I manually typed the thumbprint the problem went away.

     

     

     


    Dave Moyle Systems Architect (FirstMac Ltd)
    • Marked as answer by swoolhead Friday, August 20, 2010 10:38 AM
    Friday, August 20, 2010 2:28 AM
  • As it turns out, it appears that when I copied and pasted the thumbprint from the certificate MMC, I brought a few extra Unicode chars with me.

     

    System.Text.UTF8Encoding  encoding=new System.Text.UTF8Encoding();

    {System.Text.UTF8Encoding}

        base {System.Text.Encoding}: {System.Text.UTF8Encoding}

        emitUTF8Identifier: false

        isThrowException: false

     

    System.Convert.ToBase64String(encoding.GetBytes (thumbprint))

    "NTBDQUM3MDIzMTNEQkQyRjg2Nzk3QjI3NjZGMkFBRTY3NUFGODMyMA=="

     

    System.Convert.ToBase64String(encoding.GetBytes (this._configuredTrustedIssuers.entries[0].key))

    "4oCO4oCONTBDQUM3MDIzMTNEQkQyRjg2Nzk3QjI3NjZGMkFBRTY3NUFGODMyMA=="

     

    Seems that stuck at the begining are two Left-to-right marks which very kindly displays nothing on screen, and VS removes when you copy and paste within VS.

     

    Delete and retype the start of the thumbprint and the problem has gone away!

     

    Arrgghh!

     

    Stephen.

    • Marked as answer by swoolhead Friday, August 20, 2010 10:41 AM
    Friday, August 20, 2010 10:38 AM
  • I know this is an old post and its solved but I wanted to add one additional item that I found.

    If you pasted into thumbprint="" your code from mmc window you cant just delete the contents of the "" and retype it in.  you actually have to delete the "" themselves otherwise those additional characters still exist within the string.


    If this was helpful, please mark as answered
    Blog: AttachedWPF
    AttachedWPF

    Friday, July 20, 2012 3:39 PM
  • You get this error if the certificate thumbprints on the ADFS server and the relying part application do not match. This could be because of introduction of stray characters as a result of copy-paste of thumbprint or the signing certificate on the ADFS server is expired. Follow the steps below to resolve this.

    Open the ADFS 2.0 Management Console. Select ADFS 2.0 à Service àCertificates. Renew these certificates if expired.

    Take the thumbprints of these certificates and paste into the relying party application web.config under the section shown below.

    Monday, February 11, 2013 10:39 AM
  • Very good.

    It is an optimal good solution to solve the problem.

    Thanks you very much for your post.

    Alex

    Wednesday, February 20, 2013 9:19 PM
  • Where is the relying party web.config for ADFS located?

    Jerry


    Jerry CRM Innovation - Need a solution for CRM to help you manage Events or Email Marketing? Follow me on Twitter

    Saturday, May 04, 2013 2:58 PM
  • It's located in the "root directory" of the RP.

    Right-click on the RP in IIS and then click "Explore"

    I always make a copy of the web.config before I fiddle with it "just in case".

    Sunday, May 05, 2013 7:46 PM
  • I followed your directions and it brings me to C:\inetpub\adfs\ls

    There is a web.cofig file in that folder but there is no issuerNameRegistry entry with the thumbprints.

    Any other suggestions?

    Jerry


    Jerry CRM Innovation - Need a solution for CRM to help you manage Events or Email Marketing? Follow me on Twitter

    Sunday, May 05, 2013 10:08 PM
  • That's the ADFS web.config.

    You want the RP web.config.

    So if you add a WIF application app1 that uses ADFS for authentication and they were (for argument's sake) on the same box then there would be two web sites under "Default Web Site"; one for adfs and one for app1.

    You need to look under app1 for the RP web.config.

    Sunday, May 05, 2013 10:23 PM
  • Mate!! Removing the value along with the quotes worked for me. I couldnt get it worked with just the values replaced. I lost half a day struggling with that. Your answer saved the rest of the day. Thanks.
    Monday, July 22, 2013 3:17 PM
  • I have the same problem as described in the original post and tryed the same approach to get information when debugging. But I can't see any "extra characters", the two thumbprints exactly match but I get null returned.

    How did you remove the value with the quotes? I put a <clear /> at the beginning of the trustedIssuers.

    Does anyone have an idea what else could be the problem?

    Monday, December 02, 2013 4:36 PM