Been bashing my head against this (WIF: ID1014: The signature is not valid. The data may have been tampered with) problem now for about a week. WIF tracing has been useless in trying to solve this. For my own sanity sake, here are the possible causes that I have found so far that could cause it.
- Token signed with incorrect certificate – incorrect certificate specified in the configuration for FederationConfigurations\serviceCertificate\certificateReference
- Multiple FederationConfigurations and wrong one is used when creating the token.
- Old Token signed with DAPI but system expects new decryption with RSA.
- Using a machine key in a load balance environment. Machine Key can’t scale!
- The HttpContext.Current.User is null when the token is created.
- Certificate not loaded from a store. (Unconfirmed)
For me the problem surface in a unique configuration where our STS gets configured as a RP-STS & STS. When an desktop system needs to access a resource in our website it sends the STS a token generated from our A-STS and this then signs him into federation. It is this with this specific situation that my problem surfaced.
WTF!, I Found a solution for my problem but I do not know what was causing it to have this issue but in the end I ended up programmatically rebuilding the FederationConfiguration and assigning it to the FederatedAuthentication.SessionAuthenticationModule.FederationConfiguration property each time just before the sign-in. I could not see any difference between the FederationConfiguration from the config file and the one I was building programmatically but it solved my problem.
I hate leaving this issue without understanding what caused it but I have spent too much time on this issue already.