The issuer of the token is not a trusted issuer

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/115633

Question

I'm trying to solve this issue for a while without luck, may be someone with more Sharepoint experience will be able to pinpoint my issue.

Exception stacktrace in Sharepoint logs looks like this:

System.IdentityModel.Tokens.SecurityTokenException: The issuer of the token is not a trusted issuer.    
at Microsoft.SharePoint.IdentityModel.SPLocalIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)     
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)     
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)     
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)     
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)     
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)     
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)     
at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)     
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I've looked at the decompiled code, it looks like this:

 if (!accessProvider.SigningCertificate.Equals((X509Certificate) x509SecurityToken.Certificate))
    throw new SecurityTokenException(SPResource.GetString("IssuerIsNotTrusted"));

So it looks like received security token and access provider certificates do not match. I went further, made crash dump, loaded into windbg and tried to find what certificate has accessProvider, not sure if I was searching in right place, but if I was, then it had wrong certificate - it's subject was CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US, clearly not mine configured.

I was registering mine identity provider like this:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\temp\wcfsts.dev.cer")
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Display Name" –SameAsIncoming
$realm = "http://sp2013.testweb.local"
$ap = New-SPTrustedIdentityTokenIssuer -Name "WSFederationSTS" -Description "WCF STS." –Realm $realm -ClaimsMappings $map1 -ImportTrustCertificate $cert -SignInUrl "http://wcfsts.dev/WSFederationSecurityTokenService.svc/Issue" -IdentifierClaim $map1.InputClaimType

Also I've registered certificate with New-SPTrustedRootAuthority.

Was it helpful?

Solution

I found the problem accidentally, by looking what I might have done wrong.
I was looking to Claims Walkthrough and noticed, that they register token issuer using C# code, so decided to do the same and they used provider realm "https://intranet.contoso.com/_trust/", so I just changed it to have my domain, while leaving "_trust" part - and it started to work, so exception in logs was very misleading.

After this, I found blog post with the same issue, wondering why I didn't noticed it before.

OTHER TIPS

I was following some instructions from this link: https://support.microsoft.com/en-us/help/3042604/the-convert-spwebapplication-command-cannot-convert-from-windows-claim

It used the following format for the New-SPTrustedIdentityTokenIssuer command:

$ap = New-SPTrustedIdentityTokenIssuer -Name $tokenIdentityProviderName -Description $TrustedIdentityTokenIssuerDescription -realm $siteRealm -ImportTrustCertificate $adfsCert -SignInUrl $signInUrl -UseDefaultConfiguration -IdentifierClaimIs EMAIL -RegisteredIssuerName $siteRealm

I wasn't sure what to put for RegisteredIssuerName, and had previously left it blank when it was working, but in this case I set it to the same as the $tokenIdentityProviderName.

I started getting the "The issuer of the token is not a trusted issuer" error after that.

I cleared the value for RegisteredIssuerName:

Set-SPTrustedIdentityTokenIssuer -Identity $ap  -RegisteredIssuerName ""

And that resolved the issue for me.

I believe that for RegisteredIssuerName to work, you may need to add an issuerNameRegistry entry to the web.config to specify trusted token issuers.

<issuerNameRegistry 
  type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry,
  Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, 
  PublicKeyToken=31bf3856ad364e35">
  <trustedIssuers>
      <add thumbprint="99fcfe2c70ebb571020ca8aa1b7633dfe1fa1d58" name="http://localhost:48924/WingtipSTS/" />
  </trustedIssuers>
</issuerNameRegistry>

Additional source: https://docs.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ff955607(v=office.14)

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top