SharePoint and ADFS with Encryption

While working with SharePoint 2013 and ADFS I needed to perform encryption during the process. This is very easy to setup within ADFS, by editing the properties of the Relying Party to set the encryption certificate.

Once this is set and ADFS is enabled on the site, when you access the site you get an error with no error message. Upon looking in the event log I saw the following error.

This error is saying that SharePoint is unable to use the encryption key as it is unaware of the key itself. To resolve this we need to modify the web.config for SharePoint with the following:

<add type="Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
<nameClaimType value="" />
<add type="Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<!-- Add this here -->
<add type="Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<wsFederation passiveRedirectEnabled="false" issuer="https://none" realm="https://none" />
<cookieHandler mode="Custom" path="/">
<customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<!-- Add this here -->
<certificateReference x509FindType="FindByThumbprint"
storeLocation="LocalMachine" storeName="My"/>

The first line is to ensure that SharePoint now had a "TokenHandler" to handle encrypted traffic.

<add type="Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

The second is actually the certificate that is being used for the encryption in ADFS. The thumbprint should be replaced with the correct one from the ADFS encryption certificate. You can get this by doing the following:

  1. Launch ADFS Management Console
  2. Clicking the properties for the Relying Party and selecting the Encryption Tab

  3. Click "View", then select the "Details" tab and scroll to "Thumbprint".

  4. Copy out the thumbprint, remove all spaces and then use that.
<certificateReference x509FindType="FindByThumbprint"
storeLocation="LocalMachine" storeName="My"/>

Now you have it completed, you need to have the certificate in the manage trust and installed on the SharePoint Server so it will trust it. When you test the login it should work, but for my testing it gave me the following error:

Now SharePoint is complaining that the application pool account does not have permission to get the private key for the encryption certificate. To resolve this the easiest way is to use "WinHttpCertCfg" which can be downloaded from here:

Once it is installed you will need to launch a command window as an Administrator and navigation to the location you installed it in which by default is:

C:\Program Files (x86)\Windows Resource Kits\Tools

Once there you need to run the following command:

This will check what accounts have permissions to the certificate:

winhttpcertcfg -l -c LOCAL_MACHINE\Root -s {CertName}

NOTE: You need to replace "{CertName}" with the issued to name.

Then run this command to set the permission on the certificate for the application pool mentioned in the error log.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s {CertName} –a "DOMAIN\AppPool"

Once set you will then be able to log into the site using ADFS without any errors and have the whole process encrypted via ADFS using your certificate. Hope this helps.

Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. He is also a Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...