One day a customers ADFS server started complaining about a “server error in ‘/adfs’ application” when doing Single Sign-On against a resource.
The ADFS log (C:\ADFS\logs\) contained this error message:
[WARNING] VerifyCertChain: No certificate in the chain matches a trusted certificate. [WARNING] KeyInfo processing failed because the chain for the incoming certificate was not valid or did not contain a trusted certificate. Thumbprint = thumbprint [WARNING] Failing signature verification because the KeyInfo section failed to produce a key.
After checking the Security log in Event Viewer on the ADFS server, I knew what had happened:
Event ID: 500 Event Source: ADFS Federation Service A token request was received directly by the Federation Service. The request for target 'https://URL' was denied, and no tokens were issued. The request was denied because the inbound evidence could not be verified. Target URI: https://URL No resource token was issued. No logon accelerator token was issued. The client did not present a logon accelerator token as evidence. The client presented an invalid inbound token as evidence. The token referenced an X509 certificate that is not trusted by the ADFS trust policy. Token issuer: http://remote-ADFS-URL Thumbprint: thumbprint
Someone had replaced the token signing certificate on the ADFS server issuing tokens, and it wasn’t trusted by the ADFS server.
I got a hold of the new certificate, and added it in the trust policy on the ADFS server. After this, the authentication worked like a charm again.