The symmetric key inside the requested security token must be encrypted

| | Comments (0) | TrackBacks (0)
Here's one that ate up way too much of my time. Imagine this scenario: You're trying to use ADFS to transform a security token from a foreign domain into the one that your app is in. To do this, you have ADFS setup as an active RP-STS and you present it with a SAML assertion that you got from the IP-STS in the other domain. This means you have created a claims provider and relying party trust in ADFS. Now, imagine you can get the assertion from the IP-STS just fine, but you always get this error in ADFS's trace log when you send it over to it:

Source : Microsoft.IdentityModel
EventId : 1
Data :
<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Warning"><Description>RequestFailed: TrustNamespace=http://docs.oasis-open.org/ws-sx/ws-trust/200512, Action=http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue, Exception=Microsoft.IdentityModel.SecurityTokenService.RequestFailedException: ID4007: The symmetric key inside the requested security token must be encrypted. To fix this, either override the SecurityTokenService.GetScope() method to assign appropriate value to Scope.EncryptingCredentials or set Scope.SymmetricKeyEncryptionRequired to false.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain></TraceRecord>

ProcessId : 3156
ThreadId : 11
When I read that, I thought it meant that the symmetric key sent in my RST to ADFS wasn't encrypted. I spent hours examining HTTP traces of my requests, pulling out SHA-1 thumbprints from KeyIdentifiers in SubjectConfirmation elements, decoding/encoding them, and confirming that my IP-STS had encrypted the symmetric key w/ ADFS's encryption cert. I almost lost my mind till Yang Yu pointed out to me that the message wasn't about the symmetric key presented to ADFS; it meant that ADFS wouldn't send back a different symmetric key to my app because it couldn't encrypt the payload of the RSTR. The fix was simple: In the relying party trust, add an encryption cert.

OMG, that took like a 100 coffee breaks to figure out :(