
So for starters, here's my environment:

  • SharePoint 2010
  • Windows Server 2008 Standard
  • It's a VHD on my local machine
  • I'm connected to my work domain I'm also connected to a
  • VPN as well because some of the resources I need require it

So I have an STS in SharePoint for SSO

The STS is created via PowerShell cmdlets:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\IdentityServer.cer")
$map1 = New-SPClaimTypeMapping -IncomingClaimType "" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

# $map2 ... $mapN

$realm = "urn:mycompany:software"
$signinurl = ""

$ap = New-SPTrustedIdentityTokenIssuer -Name "MyFederationProvider" -Description "My Fed Provider" -Realm $realm -UseWReply -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

For the Internet Zone of my SharePoint site, I have the trusted identity provider created above as the Claims Authentication Type.

When I log in everything goes well until I hit this line in the code, FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(signInResponseMessage, Response);

The error I get is:
Exception information: 
    Exception type: SecurityTokenException 
    Exception message: The issuer of the token is not a trusted issuer. 

Request information: 
    Request URL: 
    Request path: /_trust/default.aspx 
    User host address: 
    Is authenticated: False 
    Authentication Type:  
    Thread account name: MyDomain\ThreadAccount

Thread information: 
    Thread ID: 10 
    Thread account name: MyDomain\ThreadAccount
    Is impersonating: False 
    Stack trace:    at Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry`1.GetIssuerName(SecurityToken securityToken)
   at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

However, the root certificate is in the Trusted Root Certification Authorities in the MMC Certificates snap-in for the Computer Account on the Local Computer. As well, the root certificate is considered trusted in SharePoint. I added it via the Central Administration->Security->Manage Trust.

Any ideas why I'd still be getting this error?

È stato utile?

Soluzione 2

The problem was the certificate being used initially was not from the domain I develop on. For local development a self-signed certificate was created and then the issuer was trusted. And this certificate was added to the manage trust store of my local Sharepoint farm,

Altri suggerimenti

Do you have an STS running at

The documentation for New-SPTrustedIdentityTokenIssuer says that it "Creates an identity provider in the farm." This seems poorly worded to me. It doesn't actually create a new STS. What New-SPTrustedIdentityTokenIssuer really does is configure a trust relationship between sharepoint and an existing 3rd party identity provider. For example,


or ADFS:

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top