WIF10201: No valid key mapping found for securityToken

I recently ran into an issue with one of my applications that uses Azure Active Directory authentication.  The application was working properly and all of a sudden, one day we got this error:

WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/a66eec53-81f8-482f-a572-c9ba46f14c5d/’.

After a lot of search around, I finally found a blog post by Jeff Levinson that helped me find the answer: http://blogs.msdn.com/b/musings_on_alm_and_software_development_processes/archive/2015/02/25/wif10201-no-valid-key-mapping-found-for-securitytoken-system-identitymodel-tokens-x509securitytoken-and-issuer-https-sts-windows-net-0f44c5d4-42b0-45c2-bf55-d0fea8430d33.aspx

From this MSDN article: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx#BKMK_Manually

“Azure AD uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: Azure AD uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses Azure AD for authentication, Azure AD creates a security token that contains information about the user. This token is signed by Azure AD using its private key before it is sent back to the application. To verify that the token is valid and actually originated from Azure AD, the application must validate the token’s signature using the public key exposed by Azure AD that is contained in the tenant’s federation metadata document. This public key – and the signing key from which it derives – is the same one used for all tenants in Azure AD.”

The permanent fix was to Add this code to Global.asax.cs:

protected void RefreshValidationSettings()
    string configPath = AppDomain.CurrentDomain.BaseDirectory + “\\” + “Web.config”;
    string metadataAddress =
    ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);

And call that from Application_Start();

This will make sure that your application uses the latest key.

About esteban

Esteban is the Founder and Chief Technologist at Nebbia Technology, an ALM consulting and Azure-powered technology company. He is a software developer with a passion for ALM, TFS, Azure, and software development best practices. Esteban is a Microsoft Visual Studio ALM MVP and ALM Ranger, Pluralsight author, and the president of ONETUG (Orlando .NET User Group).

7 thoughts on “Join me at VSLive in Orlando!

  1. Emre

    Is there any way to remove old folders from azure? When I delete a folder from my local and deploy project, it is not removing from Azure.

  2. Microsoft DevOps Blog

    […] Join me at VSLive in Orlando! – Esteban GarciaThis November, I will be back at Live! 360 in Orlando.  The conference runs from November 12th through November 17th at the Royal Pacific Resort. […]

  3. Professional PC Services

    I like your post! I read your blog often and I shared this
    post on my Facebook and my friends loved it. Keep up the awesome work.

  4. Pedenti Prasad

    import-digital-certificate-in-etoken-no key corrponding to this certificate was no found

  5. Pedenti Prasad

    Import Digital Certificate In eToken User certificate No Key Corresponding to This certificate Was Found.

    1. Pedenti Prasad

      Import Digital Certificate In eToken User certificate No Key Corresponding to This certificate Was Found.

  6. Andrew German

    From my point of view, dynamic scaling should be checked in advance to make sure everything is fine. The cloud infrastructure support provider should be used to compare between apples. If the test environment is different from the working one, data integrity raises serious questions.
    Here’s an indicative solution https://axisbits.com/blog/Cloud-Performance-Testing-of-Your-Software

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? *