WIF10201: No valid key mapping found for securityToken (Part 1)

YSOD:
WIF10201: No valid key mapping found for securityToken

This was the error that just kept on coming back.

First solution: I had to pick a key (on my Identity Server) that could be used for signing. Not all keys will work. Next, I had to make sure the key was readable by the machine (or equiv app pool identity) and select it within Identity Server’s Key Configuration screen.

Second solution: I had the wrong values in the web.config (not identity server. This was in the web config on my “RP” site). The \system.identityModel\identityConfiguration\issuerNameRegistry\authority:name needed to be set properly. This is the URL and path to your ID server.

Third solution: I made the mistake of putting the server name as a “validIssuer”. The Identity Server URL is NOT NECESSARILY the same value that goes under the .\authority\validIssuers\add:name entries. The proper name for .\validIssuers\ is supposed to come from the (Identity Server) FederationMetadata.xml on the first line. It is the entityID.
WIF10201 YSOD
For me, the entityID had VERY similar name to the server’s URL (but not exactly), and I stared at it for a few hours without noticing the difference. Of course, you can add several entries for validIssuers. So try several values until you get it right and then later, you can remove the ones that you don’t need. Or just leave them in there. Whatever.

Advertisements

About Tim Golisch

I'm a geek. I do geeky things.
This entry was posted in Errors, Lessons Learned and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s