SharePoint And ADFS: SecurityTokenException – The issuer of the token is not a trusted issuer

This is a pretty common ADFS error, and there are all sorts of reasons that it could happen.

The stack trace will be this:

[code]

Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)

   at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

[/code]

At the end of the day though, don’t sit around and fiddle with the SharePoint trusted authorities and yada yada yada, it boils down to a certificate problem. Basically the one that was specified as the signing certificate, when exported during the ADFS setup, is either malformed (the certificate chain is incomplete) or plainwrong wrong when the trusted issuer was being built up in SharePoint ala powershell. So to get around the error follow two pretty basic steps.

  1. Verify the appropriate certificate chain is present on the SharePoint server in both the trusted root authorities as well as in the SharePoint folder within the Certificate MMC snap-in. Never ever, ever delete the self issued ones that SharePoint provisioned within that folder. You will cause a Micheal Bay-spolosion. To verify the chain, just popup open the certificate details within some interface (like, the MMC :) ) doesn’t really matter what and verify that the chain is trusted and existent.
  2. Next, verify that you actually used the right certificate when specifying the certificate path when building the System.Security.Cryptography.X509Certificates.X509Certificate2 object to pass into your SPTrustedIdentityTokenIssuer. This is pretty easy to mess up when troubleshooting if you are swapping certs all over the place.

Both of these are in place, then that error will go away. Not that another won’t popup :)

Share

TFS Proxy Server Unexpected Shutdowns

TFS Proxy Servers are essential for my current client’s TFSenvironment because they allow the disparate SharePoint development environment to experience improved network performance by caching copies of VC files. Since this particular environment is geo-distributed, this is a necessary architectural requirement in order to maintain appropriate developer efficiency.

Recently, a strange issue was occurring with my clients geo-environment where the proxy servers would start shutting down repetitively. The exact error you may run into is:

The VSTF Proxy Server stopped at [server]. The application is being shutdown for the following reason: HostingEnvironment. For more information …..”

Now this can happen for a variety of reasons, but first thing is you should enable proxy server tracing to get some more relevant error information by opening the web.config in the VersionControlProxy folder by setting the traceDirectoryName to a familiar storage location and changing traceWriter to true. For this particular error, one of the error returns can be:

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
TF30055: Visual Studio could not find or read the Team Foundation Server server name in the configuration file. Contact your Team Foundation Server administrator. (type VstfNotConfiguredException)

If you get this error, the TfsNameUrl appsetting is not configured in the web.config file for the proxy server. Locate the:
[xml]

[/xml]

element and change it. After, check your IIS app pool setting and check that the recycle interval or memory limit. After, you should be good to go!

Share