Sysadminsblog.com Anything for sysadmins!

15Jul/110

SharePoint 2010 Trusted Identity Token Issuer Error

I was setting up SharePoint to use Federated Authentication using Azure Access Control Service (ACS) when it ran into an error. After checking the SharePoint logs I ran into the following lines:

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     eu2n    Monitorable    Trusted login provider ‘Public Account’ is not sending configured input identity claim type ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’    

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Monitoring     b4ly    High     Leaving Monitored Scope (SPSecurityTokenService.GetTokenLifetime()). Execution Time=125,240686737495    

07/15/2011 10:23:36.56     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest() at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityT…    

07/15/2011 10:23:36.56*    w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    …oken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

Also the event viewer returned the following error:

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Date: 15-7-2011 10:23:36

Event ID: 8306

Task Category: Claims Authentication

Level: Error

Keywords:

User: DOMAIN\user

Computer: sharepoint.domain.local

Description:

An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..

Quite obviously when I select Windows Live ID it doesn’t return the expected type of claim; namely http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

Solution

In Azure ACS you can set what type of data is retrieved and also what type it returns. The Windows Live ID Identity Provider doesn’t support email address as a claim type, however you can map the only available input claim type to any other type that you use to validated the incoming claim in SharePoint.

My SharePoint environment is setup to allow validation through emailaddress. I’ll have to map the ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier’ claim type to the ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’ claim type as shown below.

  1. Navigate to your Azure ACS URL (https://<ServiceNamespace>.accesscontrol.windows.net/v2/mgmt/web)
  2. Click Rule groups
  3. Click the Rule group that is used by your SharePoint environment
  4. Click on the only entry with Windows Live ID as Claim Issuer
  5. Check Select Type in the Then section and select the proper claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) that SharePoint is expecting
  6. Click Save and check the results

Now try to log in to your SharePoint environment with the Windows Live ID and it should work flawlessly.

One thing to note is that the login name is an odd string of characters instead of a nicely structured email address. Unfortunately there is no way of getting a nice looking login name using Windows Live ID as there is no other option than returning the nameidentifier. This seems kind of odd since it’s a Microsoft product and the most restricted Identity provider is also from Microsoft. I hope that Microsoft will add other options soon.

Be Sociable, Share!

Posted by Mischa Oudhof

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.