web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / FormsAuth cannot redir...
Microsoft Dynamics AX (Archived)

FormsAuth cannot redirect to the EP website after login

(0) ShareShare
ReportReport
Posted on by Mark_Edel 160

Hi All,

I have an error when logging in to Enterprise portal website using FormsAuth.

Please see the error in the event viewer below.

Exception message: ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Thanks in advance

*This post is locked for comments

I have the same question (0)
  • BorisD Profile Picture
    BorisD 2,826 Moderator on at

    Hello Mark,

    Is this a new implementation or it worked and just stopped working? The error is related to your signing certification. You either have an expired signing certification, or you haven't established the trust yet between your EP site and the forms-based site, or you don't have a signing cert at all. Let me know which of these scenarios you might have and I can give you some instructions.

  • Mark_Edel Profile Picture
    Mark_Edel 160 on at

    Hi Boris,

    Thanks for responding.

    This is new installation and configuration of EP.

    I just followed the instructions on the link the technet technet.microsoft.com/.../hh575253.aspx

    I use the Option B: Visual Studio is not installed on the Enterprise Portal server and imported the certificate to the enterprise portal server as said on the guide. When I'm logging in to the EP using forms based authentication I encountered the error while when I log in using the windows authentication it proceeds to the EP website.

    Regards,

    Mark

  • Suggested answer
    BorisD Profile Picture
    BorisD 2,826 Moderator on at

    I had a problem with the same exact section of the document. First thing make sure you are using the Vusual Studio that is linked to the AX environment you are trying to deploy Enterprise Portal to.

    For number 18 in Option B, if you copied the .PFX to the EP site and used this cert for

    number 4. $SigningCert = Get-PfxCertificate c:\certs\<string>.cer  in Create a forms-based Security Token Service site section, this could be were the problem is.

    Instead, copy the .cer cert from c:\cert\<sring>.cer on the Visual Studio server you used and past it to EP site in c:\cert\<string>.cer. You will have to create the cert folder. Once you have this on the EP site c:\certs\<string>.cer execute the commands below on SharePoint PowerShell. Make sure to right click and run as admin. Note: change <string> to what ever you named your cert.

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\certs\<string>.cer”) 

    $sts = Get-SPTrustedIdentityTokenIssuer 

    $sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert 

    This should resolve the issue. Please see blog below for additional information.

    community.dynamics.com/.../creating-an-enterprise-portal-site-that-39-s-available-from-the-internet-and-intranet-ax-2012

    Refer to sections: Error when you authenticate to the forms-Auth site you get Server Error in '/' Application. & Errors in the instructions:  

    Hope this helps!

  • Mark_Edel Profile Picture
    Mark_Edel 160 on at

    Hi Boris,

    I tried your recommendation but unfortunately it did not solved the issue.

    1856.EP-error.PNG

    Is there any other way/solution for the error encountered?

    I really appreciate your help.

    Thanks!

  • BorisD Profile Picture
    BorisD 2,826 Moderator on at

    Hello Mark,

    After making the changes did you restart IIS? Was the SSLCert1 & SSLCert2 created from the EP server that you want to connect to? Did you verify that the Visual Studio you created the STS signing certificate for the token service from is point to the environment you want to connect to? If you don't mind, can you describe to exactly at what point you are getting this error?

  • Mark_Edel Profile Picture
    Mark_Edel 160 on at

    Hi Boris,

    Yes, I restart the IIS. The SSLCert1 and SSLCert2 was created in EP server. Also verified the Visual Studio in creating STS signing certificate.

    I'm getting the error after logging in formsbased authentication.

  • BorisD Profile Picture
    BorisD 2,826 Moderator on at

    Hello Mark,

    Did you import the .cer cert to the Trusted Root Certification Authorities on the SharePoint site were your FormAuth and EP site are?

    Run Get-SPTrustedIdentityTokenIssuer in SharePoint PowerShell command and verify that the serial number matches the serial number of the .cer cert in the   Trusted Root Certification Authorities on the SharePoint Server and the one that's on the C:\Certs folder.

    If there is a mismatch re-import the one on the C drive to Trusted Root Certification Authorities. I'm assuming that this is the one you used for the $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\certs\<string>.cer”) command in the earlier suggestion.

    You are almost there! Its just getting your certs in order.

  • BorisD Profile Picture
    BorisD 2,826 Moderator on at

    Hello Mark,

    Any progress on this?

  • Mark_Edel Profile Picture
    Mark_Edel 160 on at

    Hi Boris,

    Apologies for the late response. I've tried your suggestion but still the forms based cannot redirect to the EP website.

    Below is the validation that certificate have same serial number.

    siteerror.PNG

    here is the website error after clicking the forms based as the authentication.

    siteerror.PNG

    Regards!

  • BorisD Profile Picture
    BorisD 2,826 Moderator on at

    Hello Mark,

    If you check the logs are you still getting ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved  error or is it a new error now?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the March Top 10 Community Leaders

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Joris dG Profile Picture

Joris dG 5

#2
Alexey Lekanov Profile Picture

Alexey Lekanov 2

#2
Henrik Nordlöf Profile Picture

Henrik Nordlöf 2 User Group Leader

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans