ADFS ASP.Net Claims Aware Error 4036 RRS feed

  • Question

  • I have SharePoint 2010 configured with ADFS 2.0. I have created an ASP.Net website that I would like to run underneath sharepoint (e.g. https://www.spsite.com/website). I have created a relying party on the ADFS server for the .net application and registered its urn in SharePoint through PowerShell.

    I am able to authenticate if I log into SharePoint first (e.g. https://www.spsite.com) and then go to the ASP.Net site. However, if I try going to the ASP.Net site first, I am authenticated through ADFS, then get this error:

    ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier '<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=ADFS Encryption - LOGIN.SPSITE.COM</X509IssuerName><X509SerialNumber>40811204107420879152081839844845048066</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>M8Loe482Kvod8p72F33jGMGdAyZHXF1NcX9z8bmFh142SHktHcxNT5J7bQI1nlMlorVzRzDdymsx1Cc0wcdeahSJgiMC1kNCDiIMqMTUUXFUfROLRDRpN32c2BVBuBTrNW/teo9fKqEdBIbiFkjn3da65zZy01qThC6WGqFwFBC7zWajmRvNur2cCuDeLShIJ01Vj4C7sM/no9BhqQjGh8EUDzP63/P2nIWvTf4PTRW29Hy5suEgqwjnTmj4P+ONmXy94KmOltKb65QgIbrdS+MDviuahTsyM0epwYm3Ne2ZzgCnBFNxxqkDFwZuSl0M9wIFVRUcYJ2EJG6kIe5ypw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo>'. Ensure that the SecurityTokenResolver is populated with the required key.

    I have added both the token signing certificate and the ADFS server's certificate to the Personal Folder in the MMC certificates.

    To achieve my current setup, I used Visual Studio 2010 and added an STS reference. I used the "Use an existing STS" option and used the federation metadata's URL. I have tried configuring it both with and without the "Enable Encryption" option and have tried selecting both options for the encryption certificate. I have tried using the token signing certificate and the ADFS server certificate but nothing seems to work.

    Thursday, August 1, 2013 3:05 PM


  • Might ask over here.





    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Just Karl Monday, August 5, 2013 4:31 PM
    • Marked as answer by Just Karl Friday, August 16, 2013 3:33 PM
    Saturday, August 3, 2013 3:18 PM