Home > ASP.NET > Windows Identity Foundation–Updating an expired issuer certificate

Windows Identity Foundation–Updating an expired issuer certificate

Because Windows Identity Foundation (aka STS) requires a non expired certificate to work, when a certificate expires, you will start getting errors such as

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

There are quite a few steps to fix this if you are running your own STS provider


For the STS provider

  1. Start up Management Console (mmc.exe)
  2. Add the Certificates Snap In for Computer Account (Add/Remove Snap In, Select Certificates, Computer Account)
  3. Import the new certificate into the Personal\Certificate Branch (right click, import)
    IMPORTANT: Make sure the certificate which you are importing has the private key inside
  4. Type out the thumbprint (Details\Thumbprint).
    IMPORTANT: DO NOT COPY AND PASTE, this will cause the same error to occur

For the STS Consumer

      1. Update the Federation Metadata, using the command below

        "C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "[PATH to Web.config]" /o "[Path to Log File]" /m "[Federation Metadata Location]"

        eg: "C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe" /u "D:\Websites\sts\web.config" /o "D:\Websites\sts\UpdateLog.txt" /m https://stsprovider/FederationMetadata/2007-06/FederationMetadata.xml

      2. Paste and replace the typed thumbprint from the provider inside the web.config file (microsoft.identitymodel –> service –> issuerNameRegistry –> trustedIssuers)
      3. Save and test
Categories: ASP.NET
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: