locked
WIF ID4036 certificate error RRS feed

  • Question

  • Hello

    I have problem with asp net application which authenticates with adfs server where i dont have access. Lately I needed to generate new certificate (which i did with fedutil) because last one has expired. After that and configuring relying trust party on ADFS server I am receiving error after redirect to application as below:

    <Message>
    ID1044: An encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
    [Thumbprint] XXX
    </Message>
    <TargetSite>
    System.IdentityModel.Tokens.SecurityToken ReadToken(System.String, System.Xml.XmlDictionaryReaderQuotas)
    </TargetSite>
    <StackTrace>
       at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    </StackTrace>
    <Source>
    Microsoft.IdentityModel
    </Source>
    <InnerException>
    <Message>
    ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier '<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=DefaultApplicationCertificate</X509IssuerName><X509SerialNumber>49521138227350714713926480931259010729</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>grnggVnnJKrIwSNU569qIP8YUNY8r1HAgxdyBNgYdCu9CfUJr0AJl2NmcDsJE4I0gHfzDksbxt3lky5YGpjfGjZyo13sq4vDTHH7jaT5mwyvW6uhk9s9Rs050yBfdq6NbegPFkj86Kqq+pYNEHeoi9nNfLnSRR7zBmFMUFAzpx3rWZvhH5QF0yxg74NuKDOnwTnLsGB8g2YT0uDCCImduS0bDxBj/HfyI9ghQHGuhZU0PqvxPt2ytnowMxIIEF6/nKMmAeMJ4pC3XgdlkhGya0CJLUBI50lzUNE57vuTnH5IJ766tSXUmqdxnF3mCft/J2DNINhLxZQwg6FImK4ddg==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo>'. Ensure that the SecurityTokenResolver is populated with the required key.
    </Message>
    <TargetSite>
    System.IdentityModel.Tokens.SecurityToken ReadToken(System.Xml.XmlReader)
    </TargetSite>
    <StackTrace>
       at Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
    </StackTrace>
    <Source>
    Microsoft.IdentityModel
    </Source>
    <InnerException><InnerException/>
    <InnerException/>


    I've made a lot of research through the internet, access for certificate for user that runs application pool is added, also for service user. Also certificate is added in web.config in <microsoft.identityModel>

          <serviceCertificate>
            <certificateReference x509FindType="FindByThumbprint" findValue="XXX" storeLocation="LocalMachine" storeName="My" />
          </serviceCertificate>

    I have no idea what else could cause this error. Any help or suggestions are really welcome.

    Thank You in Advance!

    Mihu

    Tuesday, May 10, 2016 12:43 PM