SharePoint And ADFS: SecurityTokenException – The issuer of the token is not a trusted issuer

This is a pretty common ADFS error, and there are all sorts of reasons that it could happen.

The stack trace will be this:

[code]

Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)

   at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

[/code]

At the end of the day though, don’t sit around and fiddle with the SharePoint trusted authorities and yada yada yada, it boils down to a certificate problem. Basically the one that was specified as the signing certificate, when exported during the ADFS setup, is either malformed (the certificate chain is incomplete) or plainwrong wrong when the trusted issuer was being built up in SharePoint ala powershell. So to get around the error follow two pretty basic steps.

  1. Verify the appropriate certificate chain is present on the SharePoint server in both the trusted root authorities as well as in the SharePoint folder within the Certificate MMC snap-in. Never ever, ever delete the self issued ones that SharePoint provisioned within that folder. You will cause a Micheal Bay-spolosion. To verify the chain, just popup open the certificate details within some interface (like, the MMC :) ) doesn’t really matter what and verify that the chain is trusted and existent.
  2. Next, verify that you actually used the right certificate when specifying the certificate path when building the System.Security.Cryptography.X509Certificates.X509Certificate2 object to pass into your SPTrustedIdentityTokenIssuer. This is pretty easy to mess up when troubleshooting if you are swapping certs all over the place.

Both of these are in place, then that error will go away. Not that another won’t popup :)

Share

How To Wire A SharePoint List To A Telerik RadScheduler

Wiring a List of SPListItems to a Telerik RadScheduler is pretty easy. The important thing to remember when working with a RadScheduler is that it expects a list of Appointment objects, how you hydrate an Appointment object is pretty much up to you. Were it gets kinda weird is when you have the collection, the RadScheduler.Provider expects a SchedulerProviderBase super class. Either way it’s not too bad.

So let’s assume I am building the RadScheduler object in something like CreateChildControls like so:

[csharp]
RadScheduler theScheduler = new RadScheduler();
theScheduler.TimelineView.UserSelectable = true;
theScheduler.OverflowBehavior = OverflowBehavior.Expand;
theScheduler.SelectedView = SchedulerViewType.MonthView;
[/csharp]

In the above I am missing the RadScheduler.Provider property, so gotta populate that. In this example, I am converting the SPList to a dataset, but you could iterate the items and return the values accordingly taking into account type casting. So I end up in a dataset format with something like this:

[csharp]
tempCollection.AddRange(from DataRow row in masterTable.Rows
select new Appointment
{
Start = DateTime.Parse(row[startFieldName].ToString()), End = DateTime.Parse(row[endFieldName].ToString()), ID = Guid.NewGuid(), Subject = StripTagsRegex(row[subjectFieldName].ToString()), RecurrenceState = state
});
public static string StripTagsRegex(string source)
{
return Regex.Replace(source, “”, string.Empty);
}
[/csharp]

You could easily just do the SPListItems:

[csharp]
tempCollection.AddRange(from SPListItem row in list.Items
select new Appointment
{
Start = DateTime.Parse(row[startFieldName].ToString()), End = DateTime.Parse(row[endFieldName].ToString()), ID = Guid.NewGuid(), Subject = StripTagsRegex(row[subjectFieldName].ToString()), RecurrenceState = state
});
[/csharp]
Once you have the collection of Appointments, you have to make the SchedulerProviderBase superclass. This looks like this:
[csharp]
public class ListSchedulerProvider : SchedulerProviderBase
{
private readonly List _listItemCollection;
public ListSchedulerProvider(List collection)
{
_listItemCollection = new List();
_listItemCollection = collection;
}
public override IEnumerable GetAppointments(RadScheduler owner)
{
return _listItemCollection;
}
public override IDictionary> GetResources(ISchedulerInfo schedulerInfo)
{
return new Dictionary>();
}
}
[/csharp]

Then coordinate this class with scheduler Provider property:

[csharp]
RadScheduler.Provider = new ListSchedulerProvider(Your Typed Appointment Collection);
[/csharp]

Share