ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Please help!

Hi Everyone,
I really would appreciate some help or pointers on my situation. I have a SharePoint 2013 farm, 1 server is the DC and runs SQL, the other is the WFE Server with SharePoint and ADFS. I've configured Active Directory Certification Services and followed an
excellent ADCS blog here. 
I've gone ahead and configured ADFS and believe my Certificates to be sound as I have no warnings or anything for the Service Communication, Token Signing nor Token Decrypting Certificate. Below are my certs.
I also configured the trusted relying party following numerous blogs (I did this a couple of times to make sure I didn't do anything wrong) but followed this blog.
My Adfs RP looks like this:
Upon configuring the relying trust for me SharePoint Web Application, I used a powershell script, added 3 claim mappings and specified the exported token signing certificate as the main certificate. Running Get-SPTrustedIdentityTokenIssuer I can confirm
that I've added the Token Issuer, what I believe to be correct:
ProviderUri                   : https://adfsportal.mvdb.com/adfs/ls/
DefaultProviderRealm          : urn:sharepoint:adfs
ProviderRealms                : {}
ClaimTypes                    : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, 
                                http://schemas.microsoft.com/ws/2008/06/identity/claims/role, 
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}
HasClaimTypeInformation       : True
ClaimTypeInformation          : {Email Address, Account ID, Role}
ClaimProviderName             : 
UseWReplyParameter            : False
UseWHomeRealmParameter        : False
RegisteredIssuerName          : 
IdentityClaimTypeInformation  : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
Description                   : ADFS SAML Provider
SigningCertificate            : [Subject]
                                  CN=tokensigning.adfs.mvdb.com
                                [Issuer]
                                  CN=mvdb-MVDBPRIME-CA, DC=mvdb, DC=com
                                [Serial Number]
                                  24000000036DEE002044F8EC45000000000003
                                [Not Before]
                                  2014-03-24 10:35:17 AM
                                [Not After]
                                  2016-03-23 10:35:17 AM
                                [Thumbprint]
                                  ED85DB5F1FF564FD7F645E365EB52C2DB406B825
AdditionalSigningCertificates : {}
MetadataEndPoint              : 
IsAutomaticallyUpdated        : False
Name                          : SAML Provider
TypeName                      : Microsoft.SharePoint.Administration.Claims.SPTrustedLoginProvider
DisplayName                   : SAML Provider
Id                            : 2f59bcca-6ee1-43ae-b9fa-f1b415cdd58b
Status                        : Online
Parent                        : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
Version                       : 22046
Properties                    : {}
Farm                          : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties   : {}
So then went and extended my Web Application, added a host header (secured with wildcard cert) and chose my trusted provider I've just added with the script. When logging on, sure enough, I get prompted with the login dropdown but as soon as I choose the
adfs option I get:
ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements,
extend Saml11TokenSerializer and override ReadToken
So far I have not been able to get further than this. I've double checked that I have given permissions on the token signing cert's private keys (read permissions on the ADFS service account as well as Network Service).
Please help!
-Mike

Hi,
According to your post, my understanding is that you got the “ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken” error.
I recommend to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate.
If you export ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate, please export the correct version of ADFS Token Signing Certificate and rerun the
following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert
More information:
SharePoint and ADFS Configuration Error – ID4220: The SAML
Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken
Thanks,
Linda Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Linda Li
TechNet Community Support

Similar Messages

  • Can`t install my brother printer model mfc-j5910, the printer will not apear in the menu and I did more than twice an update. please help

    Hi there,
    try to reinstall my Brother Printer after the Maverics update, but it seems it is not longer possible. I loaded tons of software from Brother and Apple support and run the installatin, but the printer will not apear in the printer menu.
    Before the update the printer worked fine via WLan and yes both are in the same network. With my second Notebook it works just as fine, can`t figure out what is wrong.
    I need my printer for daily work, please help me out
    best regards

    Try resetting the printing system:
    http://support.apple.com/kb/PH14141

  • I cannot upgrade my iMac 2009 to snow leopard (it was deleted by mistake) now is running 10.5.8, the snow leopard dvd is not installing and the computer keeps crashing..If anyone have an answer, PLEASE Help me.

    I have a 2009 iMac 4,1  2GHz intel Core duo it says here I have 1GB of memory. I had it running on snow leopard 10.6.8 I still have the SN software that i bought to made the upgrade. Had some guest staying at my place and they deleted the running os and a lot of files and stuff..., now is running on leopard 10.5.8 and it's giving me a lot of problems because is soo obsolete, also hte computer is crashing all the time and every time I try ti install the SL dvd, the computer won't read the dvd and I'm keeps booting me off. Is not getting better at all and now when I restart the iMac before I get the grey apple screen, the folder of death icon flashes, (I already lost my Macbookpro due this situation. What can I do to resolve this aggravating and frustrating Issue. Need help now ..Please

    Before we get too far, please clarify this part:
    I have a 2009 iMac 4,1
    A 2009 iMac cannot be an iMac 4,1; they are 9,1 and higher. Did you mean to type "2006?" That would be an iMac 4,1. We need to pin down the model issue before proceeding.
    It could be the drive, not the disk, that is dirty. Try a drive cleaning disk, usually about US$5-15 at home entertainment, electronics stores and office superstores

  • The apple store has changed my phone. But when I got the new one i did not have all the songs and apps that i bought. WOuld you please help me to retrieve them back to my iphone. thanks

    The apple store has changed my I broken Iphone to a new one.  But when I got it, i did not have all my purchased songs and apps in it.

    You will need to plug it into your computer and re-sync them from iTunes. The iPhone is meant to be synced/backed up to iTunes on your computer on a regular basis. It is NOT a primary or backup storage device.

  • TS4006 Someone stole my ipod5 brand new but did not connect to the internet. I had 3000 pics of my vacation - please help. Is there anyone who could possible locate it even without being connected to the internet maybe through some app that I had or whate

    Help please. Anyone has a way of tracking my ipod touch 5 even offline. had all my 3000 pics from this vacation here in the US. I had some apps....anyone please. The Find my ipod is notable to lock or locate because is offline....HELP PLEASE I will take any advice... It was stolen in a McDonalds that had wireless but was not connected...

    I'm an plug and play, aka, intuative Apple OS "cooler", or a guy that has been most likely to "tilt" even the most bug free Apple software and maybe even hardware, and unqualified to give advice, except for the fact that I had my iPad and then my iPhone boosted a year ago. May I ask, did you ever log in to your app; "Find my iPhone" and go through the registration process? If you did, you would have had to have registered it into "mobileme" or the ancestor of mm, the name escapes me, or you would have had to "iCloud it", the implications of which, I'm just barely scratching the surface (<--ADHD) but that's the kind of thing I would have, and did do, even though I didn't have a clue, what it was for, or understand how to incorperate it into my resources at the time, I'm just a "register here" factory, that registers first and askes questions later. If you did this, I suspect you may have a reason to hope a a GPS kite string that millions of theft targets like us are longing to see, return your device, for Christ Sakes! i do know that, if you did you, can access the signal blip, location from any smart device, with internet access and your log in/password, that you will need to remember, track down, or if all else fails, ask Support to assist, by in my case jogging my memory, until it came to my low watt brain, the log in id, I had used.
    Boy what a lot of blather, hope it was helpful, somehow, my point was that Cloud is the modern MobileMe, and it's prediscessor. Mozl Tov!

  • Got a refurbished iphone 4s to replace my lost iphone 4, the 4s has horrible battery life, only lasts about 3 hrs even when not in use and it will not update to the iOS 5.1, i have tried four times now, please help

    please help

    Basic troubleshooting from the User's Guide is reset, restart, restore.  Has any of this been tried?

  • SAML assertion was used to sign a message, the verification of signature us

    CR325776, CR301621, CR331147
    When SAML assertion was used to sign a message, the verification of signature used to fail with NullPointerException.
    This problem has been resolved.
    We have 9.2 MP2 as our ALDSP weblogic server. Is there any way to do a smart Update from MP2 to MP3?
    Can it be done behind the proxy, ie., download the patch and install ?
    Our Unix server is Solaris. Please let us know.
    Thanks.

    we got the update and this has been resolved as we have installed weblogic 10.

  • The driver cannot be installed because it is either not digitally signed or not signed in the approp

    I lost my drivers to my HP deskjet f2179  Printer and when i try to download them from the HP site the process goes
    through to about step 5. It then stops and the following message pops up
    " The driver cannot be installed because it is either not digitally signed or not signed in the appropriate manner."  Is there a way to get around this problem , i do like this printer and would like to keep it if i can. Thank you

    Coming up on 10 months and over 300 views without even a reply. Seems to have stopped everyone dead in their tracks.
    I'm having this issue currently with an All-In-One after attempting to install a major software update.
    Did you ever determine what this issue is, and the workaraound?

  • My iPhoto won't open. It says "Your photo library is either in use by another application or no longer readable." Please tell me I haven't lost all my pics?! I do not have them backed up. I have tried restarting my mac. Please Help!

    My iPhoto won't open. It says "Your photo library is either in use by another application or no longer readable." Please tell me I haven't lost all my pics?! I do not have them backed up. I have tried restarting my mac. Please Help!

    What haven't you backed them up? You should always have a back up of any important material on your Mac. Make one now:
    Most Simple Back Up
    Drag the iPhoto Library from your Pictures Folder to another Disk. This will make a copy on that disk.
    Slightly more complex:
    Use an app that will do incremental back ups. This is a very good way to work. The first time you run the back up the app will make a complete copy of the Library. Thereafter it will update the back up with the changes you have made. That makes subsequent back ups much faster. Many of these apps also have scheduling capabilities: So set it up and it will do the back up automatically. Examples of such apps: Chronosync or DejaVu . But are many others. Search on MacUpdate
    What version of iPhoto do you have?

  • Can not sign in the operation couldnot be completed

    Can not sign in the operation couldnot be completed

    Try this...
    Go to Settings>icloud, scroll to bottom of screen and tap Delete Account.  Then log in again.

  • Generic service 'Analysis Services (TEST1)' could not be brought online (with error '1060') during an attempt to open the service. Possible causes include: the service is either not installed or the specified service name is invalid.

    Hi,
    We have a cluster with 2 nodes. Everything works fine in Node1. When I try to failover TEST1 database to Node-2 it fails with this message.
    Generic service 'Analysis Services (TEST1)' could not be brought online (with error '1060') during an attempt to open the service.  Possible causes include: the service is either not installed or the specified service name is invalid.
    Any help is much appreciated.
    Thanks

    Hello,
    The error message is pretty straight forward, it's saying either the service isn't installed or it's not installed as the same service on that node. Did you install analysis services on the second node (from the error it seems like it isn't)?
    Sean Gallardy | Blog |
    Twitter

  • Error: JAR-Ressources in JNLP-File are not signed from the same Certificate

    I have two handfull jars, all signed in batch with the same
    Certificate. When i start my App with Webstart it tells me:
    Your JAR-Ressources in JNLP-File are not signed from the same Certificate.
    "JAR-Ressourcen in JNLP-Datei sind nicht von demselben Zertifikat signiert"
    Well im shure that i signed all my jars with the same Certificate.
    What can i do to solve this problem ???

    I get the same error.
    Strangely exactly every second time it works and every second time I execute the JNLP I get the following error:
    network: Cache-Eintrag nicht gefunden [url: http://localhost:8080/fibo/lib/js_15R41.jar, Version: null]
    network: Verbindung von socket://127.0.0.1:3621 mit Proxy=DIRECT wird hergestellt
    #### Java Web Start Error:
    #### JAR-Ressourcen in JNLP-Datei sind nicht von demselben Zertifikat signiertCan this have something to do with browser caching? So that every 2nd time it tries to access the cache, fails. And than ignores the cache and works?
    Any ideas?
    Cheers,
    Rio

  • Error message "not digitally signed or not signed in the appropriate manner

    My computer keeps crashing and I discovered that it is not recognizing a hardware device.  The device is the printer.  When I check further, it asks for driver updates and when I try to do that, I get an error message "not digitally signed or not signed in the appropriate manner.  
    I have no idea how to fix this since I am the administrator and I have an HP laptop too.  Any help is great.
    Thanks,
    Sonja

    Welcome to the community, Sonja! Aka @sonipsl 
    I have personally ran into the error message you are receiving before that states "not digitally signed or not signed in the appropriate manner", and I had posted a solution to it as well. I would like for you to see the steps that had fixed the problem in my first link below. You will notice that you will have to download the correct drivers for your printer, the Photosmart B210a model, and that link is also below.
    Click this link and try the steps in my post: Solution! Re: Getting Error when updating Driver for D110a
    This is link to get your drivers for your printer model: HP Photosmart Full Feature Software and Drivers
    I hope this does the trick! Please write me back to let me know the outcome
    Enjoy the rest of your Tuesday
    R a i n b o w 7000I work on behalf of HP
    Click the “Kudos Thumbs Up" at the bottom of this post to say
    “Thanks” for helping!
    Click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution!

  • Can not sign into the Store, get "make sure network connection is active and try again

    Help, can not sign into the Apple Store; get "make sure your network connection is active and try again"?

    Hello Rainman66,
    If you are having trouble connecting to the iTunes Store, follow the information specific to Windows XP in the troubleshooting article below:
    iTunes: Advanced iTunes Store troubleshooting - Apple Support
    https://support.apple.com/en-us/HT203361
    I hope this information helps ....
    - Judy

  • I have paid for Creative Cloud - illustrator CC 1 year monthly plan, but it still show "Trial Expired". I have tried to sign in and sign out creative cloud many times, but still can't work. Please help!

    I have paid for Creative Cloud - illustrator CC 1 year monthly plan, but it still show "Trial Expired". I have tried to sign in and sign out creative cloud many times, but still can't work. Please help!

    Does your Cloud subscription show on your account page?
    https://www.adobe.com/account.html for subscriptions on your Adobe page
    Also,
    This is an open forum, not Adobe support... you need Adobe support to help
    Adobe contact information - http://helpx.adobe.com/contact.html
    -Select your product and what you need help with
    -Click on the blue box "Still need help? Contact us"

Maybe you are looking for

  • Upgrading EBS database 9i (9.2.0.6) to 9.2.0.8

    Hi all, I am upgrading my database from 9.2.0.6 to 9.2.0.8. I am getting error, i am pasting the log file content. ======================================= - Linking Oracle rm -f /data/oracle/db/proddb/9.2.0/rdbms/lib/oracle gcc -o /data/oracle/db/pro

  • Macbook Pro Startup Disc Error Message

    I keep getting the "Your Mac OS X startup disk has no more space available for applications memory" error statement, but, even after deleting around 60% of my files, it still keeps giving me that, and some of my applications won't open. I don't reall

  • Is it possible to add audio to a bumper / opener template?

    I have a little intro video that I put on all of your videos (http://noahsdad.com/). It is a video file made in after effects, a 5 second background track audio file, and 2 swoosh audio files. I have exported that as a video and saved it to my deskto

  • Missing Adapters

    Hi, Am missing some adapters in HAL. Mainly the Planning Adapter. Where can i restore it from...? Thanks..

  • PHOTOSHOP ELEMENTS 10 KEEPS CRASHING ON MAC! HELP

         EVERY TIME I OPEN PSE10 EDITOR EVERYTHING FUNCTIONS FINE, EXCEPT WHEN I TRY TO SCROLL AND CLICK ON TO ONE OF THE OPTIONS ON THE TOOL BAR LIKE "NEW,"  "EDIT,"  "FILE", ETC... I HAVE TRIED UNINSTALLING, REINSTALLING, AND I EVEN SPOKE TO SOMEONE AT