SharePoint 2013, ADFS and Token Decripting Certificate

Hello,

I'm working on the configuration of a SharePoint 2013 farm to enable authntication throught ADFS.

Configuration is done on ADFS side.

On SharePoint side :

  • I add the SPTrustedRootAuthority with the signing certificate and the sign in URL
  • I configure the web application to use the provider created
  • I add the token decrypting certificate to the server (LocalMachine\My)
  • I change configuration file for the web application adding this: <serviceCertificate>
    <certificateReference x509FindType="FindBySubjectName" findValue="name of the certificat" storeLocation="LocalMachine" storeName="My"/>
    </serviceCertificate>

(it's the same using FindByThumbprint)

When I ask for the site collection on web app, I'm getting an error :

Parser Error Message: ID1024: The configuration property value is not
valid.
Property name: 'serviceCertificate'
Error: 'ID1001: The certificate
does not have an associated private key.

I'm waiting for getting the certificate with the private key but I want to be sure of the process to handle this Token Decrypting Certificate ont SharePoint side(it's not well documented on the internet)

Thansk for your help

July 20th, 2015 12:27pm

You shouldn't need to edit the web.config.

Did you follow a guide like this one?

http://blogs.technet.com/b/hansbaumann/archive/2014/09/11/checklist-when-configuring-adfs-with-sharepoint.aspx

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 3:59pm

Yes for sure I follow a guide like this.

But I could not find a guide explaing clearly the configuration withe the decrypting token certificate (different from the signing certificate).

Your link, as many others, doesn't say a word about decrypting certificate :(

Thanks for your reply.

July 20th, 2015 4:11pm

You only need the signing cert. And you do not need to modify the web.config.

Here's my favorite guide:

https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 4:15pm

I saw on different links that when a token decrypting certificate is used (this is not mandatory to use it), we have to make some onfiguration on SharePoint side (otherwise SharePoint will not be able to decrypt the token)

Here is one of the links : https://lorson.wordpress.com/2014/08/15/configure-adfs-3-0-with-sharepoint-2013-for-claim-authentication/

July 20th, 2015 6:52pm

Hi,

Firstly, please make sure that you have exported the certificate with a private key.

Secondly, please make sure that a "TokenHandler" to handle encrypted traffic as below shows is added in web.config file for SharePoint.

<add type="Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

Thirdly, please makes sure that the application pool account has permission to get the private key for the encryption certificate.

For this issue, you can use "WinHttpCertCfg" to set the permission on the certificate for the application pool account.

Please refer to the link below for detailed steps:

https://www.helloitsliam.com/2015/01/23/sharepoint-and-adfs-with-encryption-2/

Thanks,

Vi

Free Windows Admin Tool Kit Click here and download it now
July 21st, 2015 10:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics