SharePoint and ADFS with Encryption

While working with SharePoint 2013 and ADFS I needed to perform encryption during the process. This is very easy to setup within ADFS, by editing the properties of the Relying Party to set the encryption certificate.


Once this is set and ADFS is enabled on the site, when you access the site you get an error with no error message. Upon looking in the event log I saw the following error.


This error is saying that SharePoint is unable to use the encryption key as it is unaware of the key itself. To resolve this we need to modify the web.config for SharePoint with the following:

<add type="Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
<samlSecurityTokenRequirement>
<nameClaimType value="http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" />
</samlSecurityTokenRequirement>
</add>
<add type="Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<!-- Add this here -->
<add type="Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" issuer="https://none" realm="https://none" />
<cookieHandler mode="Custom" path="/">
<customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</cookieHandler>
</federatedAuthentication>
<!-- Add this here -->
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint"
findValue="1BF5AF5E09DE6C2FC3FB3C0DD9B4FCACE73CCBFE"
storeLocation="LocalMachine" storeName="My"/>
</serviceCertificate>
</service>
</microsoft.identityModel>
</configuration>

The first line is to ensure that SharePoint now had a "TokenHandler" to handle encrypted traffic.

<add type="Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

The second is actually the certificate that is being used for the encryption in ADFS. The thumbprint should be replaced with the correct one from the ADFS encryption certificate. You can get this by doing the following:

  1. Launch ADFS Management Console
  2. Clicking the properties for the Relying Party and selecting the Encryption Tab


  3. Click "View", then select the "Details" tab and scroll to "Thumbprint".


  4. Copy out the thumbprint, remove all spaces and then use that.
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint"
findValue="1BF5AF5E09DE6C2FC3FB3C0DD9B4FCACE73CCBFE"
storeLocation="LocalMachine" storeName="My"/>
</serviceCertificate>

Now you have it completed, you need to have the certificate in the manage trust and installed on the SharePoint Server so it will trust it. When you test the login it should work, but for my testing it gave me the following error:


Now SharePoint is complaining that the application pool account does not have permission to get the private key for the encryption certificate. To resolve this the easiest way is to use "WinHttpCertCfg" which can be downloaded from here:

http://www.microsoft.com/en-us/download/details.aspx?id=19801

Once it is installed you will need to launch a command window as an Administrator and navigation to the location you installed it in which by default is:

C:\Program Files (x86)\Windows Resource Kits\Tools

Once there you need to run the following command:

This will check what accounts have permissions to the certificate:

winhttpcertcfg -l -c LOCAL_MACHINE\Root -s {CertName}

NOTE: You need to replace "{CertName}" with the issued to name.

Then run this command to set the permission on the certificate for the application pool mentioned in the error log.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s {CertName} –a "DOMAIN\AppPool"

Once set you will then be able to log into the site using ADFS without any errors and have the whole process encrypted via ADFS using your certificate. Hope this helps.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...