Tuesday 28 January 2014

Error: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry in Ms Dynamics CRM 2011

Came back from a long weekend yesterday to be greeted by a non working development environment. It was prompting for credentials when logging in to Dynamics CRM. Thus, after having done what any self respecting developer would've done, namely bounce IIS, I decided to have a look at the logs, where I found this:
Error: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
Error Message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

Source File: Not available

Line Number: Not available

Request URL: https://devcrm1.dev.local/default.aspx

Stack Trace Info: [SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.]
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Some sort of ADFS issue, I thought to myself. So I jumped onto the Dev ADFS box and found no correlated errors :(

I checked the Relying Party Trusts and the CRM one was fine, not showing any errors, I even went as far as using the test url facility, but alas, no dice.
During my general sweep of ADFS, I looked at the certificates and .... there were new certificates as the old ones were about to expire:


This means that the certificate thumbprint for token signing being used by Dynamics CRM is wrong and needs changing. This is trivial for web services, as all you need to do is change the bold line in the web.config to reflect the new certificate thumbprint.
 <microsoft.identityModel>
    <service name="MyCustom.Service.Something">
      <audienceUris>
        <add value="https://devcrm1.dev.local:1337/MyCustom.Service.Something/Service.svc" />    
      </audienceUris>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="5CE1DB0783B190D1CE4481B9C39CAD61AC6ACD56" name="http://adfs.dev.local/adfs/services/trust" />        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>

In MS Dynamics CRM things are perhaps simpler as there is no editing of the web.config file just a reconfiguration of Claims-Based Authentication (really, just run through the wizard as all other settings should already be correct):

1. Start the Deployment Manager:


2. Click Configure Claims-Based Authentication, which will launch the wizard and continue clicking next until the end of the Wizard.





3. Restart IIS.

Having done this, I was able to access my Dev environment again.

6 comments:

  1. Thanks for the post. This led me in the right direction. I was getting the same error after my adfs certificates expired. The one thing I had to figure out on my own was the correct certificate thumb print. I found that by viewing the certificate and clicking on the Details tab. There is a thumbprint there. I had to manually type it out without the spaces and put it into the web.config. However, that fixed the issue for me! Thanks, again!

    ReplyDelete
  2. Error: ID4175 is serious issue that has made me worried. Thanks for giving us comprehensible information and solving my this critical issue through your blog post. Assignment Writing Service

    ReplyDelete
  3. Thank you for your comment. This pointer pointed me in the right direction. After my adfs certificates expired, I received the same error. The correct certificate thumbprint was the one thing I had to figure out on my own. I discovered this by viewing the certificate and selecting the Details tab. A thumbprint can be found there. I had to manually type it without spaces and enter it into the gostepweb. However, that resolved the problem for me! Thank you once more!

    ReplyDelete
  4. Error: ID4175 is a significant problem that has disturbed me. Thank you for providing us with clear information and for resolving my key issue through your blog post.
    Roof Restoration Newcastle NSW

    ReplyDelete
  5. Thank you for sharing your thoughts. This put me on the correct track. After my adfs certificates expired, I received the same error. The correct certificate thumb print was the only item I had to work out on my own. I discovered this by looking at the certificate and selecting the Details page. A thumbprint can be found there. I had to manually type it in without spaces into the web.config file. That, however, resolved the problem for me! Thank you once more!
    seo consultant services

    ReplyDelete
  6. This is a really useful piece of knowledge. I appreciate you sharing this mind-blowing knowledge with us. Please keep us updated in this manner.
    Source: Brica Phone Pod For Small Phone online

    ReplyDelete