ID4022: The key needed to decrypt the encrypted security token could not be resolved

YSOD:
ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key

In the destination site (not my Identity Server), I made a mistake setting up the token.

A big part of the problem is that I was trying to set up too much filter criteria in the token definition. If you are only using one relying party and your server doesn’t have a bazillion encryption certificates on it, then you don’t need to use all of the possible filters in your token filter definition. The thumbprint should suffice.

Also, I was using load-balancing and the token information is (possibly) a little different for each host of a load-balanced environment. So you need to get the thumbprint from each load balanced Identity Server, individually. They may or may-not be the same. You are allowed to use several thumbprints and the server (RP) will figure out which one to use.

Advertisements

About Tim Golisch

I'm a geek. I do geeky things.
This entry was posted in Errors, Lessons Learned and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s