I recently ran into an issue with one of my applications that uses Azure Active Directory authentication. The application was working properly and all of a sudden, one day we got this error:
WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/a66eec53-81f8-482f-a572-c9ba46f14c5d/’.
After a lot of search around, I finally found a blog post by Jeff Levinson that helped me find the answer: http://blogs.msdn.com/b/musings_on_alm_and_software_development_processes/archive/2015/02/25/wif10201-no-valid-key-mapping-found-for-securitytoken-system-identitymodel-tokens-x509securitytoken-and-issuer-https-sts-windows-net-0f44c5d4-42b0-45c2-bf55-d0fea8430d33.aspx
From this MSDN article: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx#BKMK_Manually
“Azure AD uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: Azure AD uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses Azure AD for authentication, Azure AD creates a security token that contains information about the user. This token is signed by Azure AD using its private key before it is sent back to the application. To verify that the token is valid and actually originated from Azure AD, the application must validate the token’s signature using the public key exposed by Azure AD that is contained in the tenant’s federation metadata document. This public key – and the signing key from which it derives – is the same one used for all tenants in Azure AD.”
The permanent fix was to Add this code to Global.asax.cs:
protected void RefreshValidationSettings()
string configPath = AppDomain.CurrentDomain.BaseDirectory + “\\” + “Web.config”;
string metadataAddress =
And call that from Application_Start();
This will make sure that your application uses the latest key.