add a new article

genlin · genlin · commit 12ca68ec0bd8 · 2025-02-05T11:54:17.000+08:00
diff --git a/support/entra/entra-id/app-integration/troubleshoot-wif10201-no-valid key-securitytoken-mvc.md b/support/entra/entra-id/app-integration/troubleshoot-wif10201-no-valid key-securitytoken-mvc.md
@@ -0,0 +1,55 @@
+---
+title: ASP.NET MVC application error WIF10201: No valid key mapping found for securityToken
+description: This article provides guidance for troubleshooting the the error "WIF10201- No valid key mapping found for securityToken".
+author: genlin
+ms.author: bachoang
+ms.service: entra-id
+ms.topic: troubleshooting-general
+ms.date: 02/05/2025
+ms.custom: sap:Issues Signing In to Applications
+---
+# WIF10201: No valid key mapping found for securityToken in ASP.NET MVC application
+
+This article provides guidance for troubleshooting an authentication issue in an ASP.NET MVC application that uses both [WS-Federation](https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation) OWIN middleware and [Windows Identity Foundation](../../../windows-server/user-profiles-and-logon/windows-identity-foundation.md) (WIF) to authenticate to Microsoft Entra ID.
+
+## Symptom
+
+The ASP.NET MVC application was working previously; however, the following error is now occurring without any changes to the application.
+
+```dotnetcli
+Error Details:
+Server Error in ‘/’ Application.
+WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/<Directory ID>/’.
+
+Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
+
+Exception Details: System.IdentityModel.Tokens.SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/<Directory ID>/’.
+```
+
+## Cause 
+
+Windows Identity Foundation uses the certificate thumbprint(s) in the web.config file (shown below) to verify the signature of the token returned from THE Entra ID upon successful sign in.
+
+```
+<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, 
+System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
+<authority name="https://sts.windows.net/<Directory ID>/">
+    <keys>
+    <add thumbprint="C142E..." />
+    <add thumbprint="8BA94..." />
+    <add thumbprint="D92E1..." />
+    </keys>
+    <validIssuers>
+    <add name="https://sts.windows.net/<Directory ID>/" />
+    </validIssuers>
+</authority>
+</issuerNameRegistry>
+```
+
+The error WIF10201 occurs when none of these certificate thumbprints match the one used by Entra ID to sign the token.
+
+The Entra ID uses a [signing key rollover mechanism](entra/identity-platform/signing-key-rollover), which updates the certificate used to sign authentication tokens periodically. This key rollover causes the initial certificate thumbprints configured in the web.config file to become invalid, hence leading to the error.
+
+### Solution
+
+You can either update the certificate thumbprints in the web.config file manually  or automate the process through code. For more information, see [Best practices for keys metadata caching and validation](/entra/identity-platform/signing-key-rollover#best-practices-for-keys-metadata-caching-and-validation)
