Fixing the ID4175 Error Message

If you have been working extensively with Windows Identity Foundation and using Claims-aware application with a Security Token Service, chances are you have seen the following dreaded error:

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.


After doing quite a bit of research on this error message, I finally found a blog posting/article which indicated how to solve this error message rather easily!

1. First, open the Web.config file of the Claims-aware Web Site
2. Look for the element that looks like this: <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers>
   <add thumbprint="E1787F034DAA4F5401811F72F9B64E138FE6FF2F" name="http://localhost:48924/WingtipSTS/" />
   </trustedIssuers>
   </issuerNameRegistry>
3. Now simply delete/remove this element entirely from the Web.config file
4. Save your changes to the Web.config file
5. Right click on the Claims-aware Web Site project and select Add STS Reference
6. Proceed through the Federation Utility wizard once more to connect to the appropriate STS
7. After the Federation Utility wizard completes successfully, the issuerNameRegistry element should have been re-added back to the Web.config
8. Right click on the Default.aspx web form and select View in Browser 
9. Verify that the Claims-aware Web Site now authenticates to the STS successfully!

In some cases, if you are working with existing code samples (such as can be downloaded from MSDN Code Gallery), the above set of steps will not work for you.  This is because using Add STS Reference actually reads the FederationMetadata.xml file contained in the STS.  Often, this file has been signed with the STSTestCert with a Thumbprint which differs from the Thumbprint of the STSTestCert which is installed on your local machine.  This Thumbprint is subsequently added to the Web.config file of your Claims-aware Web Site.

Fortunately, a CodePlex project called STS Federation Metadata Editor can be used for editing these FederationMetadata.xml files. The CodePlex project is located here: http://stsmetadataeditor.codeplex.com/

Once you edit and re-save these files using the Metadata Editor, you should be able to use the above set of steps for Add STS Reference to ensure that your Claims-aware Web Site is working properly and has all of the proper Web.config values.