The full error is:
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.So there I was happily using my claims-enabled application until one fine autumn morning – WHAM – I get the above error.
This error means (to quote Common Windows Identity Foundation WS-Federation Exceptions Explained) that:
“Security tokens are signed by the issuer (the IP-STS). This issuer is validated by the relying party so that the RP can be sure the tokens have been issued from a trusted source. The relying party’s WIF configuration contains an <issuerNameRegistry> element where the settings for the issuer’s signature are stored. This exception means that the configuration contained under the issuer name registry does not match the signature of the security token.”
Then I noticed that my ADFS has certificate rollover enabled and yes – you guessed it – my certificates had rolled over over the weekend.
The section in the web.config looks like:
ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=188.8.131.52,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="xxx" name="http://yyy/adfs/services/trust"/> </trustedIssuers> </issuerNameRegistry>
So you need to get the thumbprint of the new ADFS token-signing primary certificate and update the web-config with it.