Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 28, 2014 11:01 PM
We are in the process of upgrading ADFS 3.0 (Windows 2012 R2) to replace ASFS 2.0 (windows 2008 R2).
The ADFS 3.0 relying party server functions properly as long as encryption is disabled.
If decryption is enabled it errors with the following error:
Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.
ADFS 2.0 (Claims Provider) <-- Trusts -- ADFS 2.0 (Relying Party) (Works fine with encryption or without).
ADFS 3.0 (Claims Provider) <-- Trusts -- ADFS 2.0 (Relying Party) (Works fine with encryption or without).
ADFS 2.0 (Claims Provider) <-- Trusts -- ADFS 3.0 (Relying Party) (Works fine with encryption disabled).
ADFS 3.0 (Claims Provider) <-- Trusts -- ADFS 3.0 (Relying Party) (Works fine with encryption disabled).
The encrypted SAML Response contains a serial number for the encryption certificate on the relying party server and the key corresponding to the certificate with this serial number is accessible to the Relying Party ADFS Service.
The ADFS 3.0 relying party server seems to be configured exactly the same (including the signing and encryption certificates used) as the ADFS 2.0 relying party server.
What could be causing this decryption error and the inability to resolve the security token certificate?
All replies (2)
Thursday, February 12, 2015 7:21 AM
Hi, I have the exact same problem after upgrading from ADFS 2.0 to ADFS 3.0.
Have you found any solution to the problem?
I temporarily disabled the encryption with this command from the Claims Provider site:
Set-ADFSRelyingPartyTrust -targetname XXX -EncryptClaims $false
Monday, February 16, 2015 2:19 PM | 2 votes
I have solved the problem with some help from Microsoft.
In the test environment I had problem with was the ADFS server also a DC.
The problem was that the account running the ADFS service wasn't allowed to read it's own encryption certificate.
I followed this instruction to let the ADFS Service account to read the file.
Grant a Member the Right to Logon Locally
https://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx