Windows Identity Foundation Security Token Service throwing CryptographicException: ID6013: The sign

For some reason the tokens that my STS are generating are invalidating themselves after some point in time. This is not the common issue that people have when they get this exception where they have modified the FederatedMetadata.xml file afterwards.

I can use my STS to correctly authenticate and all is well and good, at some point my STS consuming site (let’s call it APP) has the ticket expire on it’s STS cookie which then redirects them back to the STS. The STS is setup so that the users can get a
long running cookie on the STS to stay logged in. Since the user has the cookie on the STS they correctly are authenticated. The STS then posts them back to the APP.

This sequences works fine for a while. However after a while this just halts with this amazingly unhelpful error.


ID6013: The signature verification failedException Details:
System.Security.Cryptography.CryptographicException: ID6013: The signature verification failed.



After this error starts occuring it will repeat forever until I deploy my site with the exact same files which will then run again fine for a period of time.

This is absolutely terrifying to consider that the STS just COMPLETELY FAILS RANDOMLY AFTER SOME POINT.

What is going on? What can be done to fix this?

Is there a way to disable this broken “feature” entirely?


Edit: For clarification the STS itself isn’t throwing this exception, this exception is being raised by

 Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.VerifySignature(HashAlgorithm hash, AsymmetricSignatureDeformatter deformatter, String signatureMethod) +264

on APP.

This error  generally indicates that the token  being returned from the STS has been modified  in transit, for example by a proxy. You should turn on verbose tracing on both the STS and the consuming  site when it fails, which will show the bytes being signed

I’ve enabled logging on the STS producer successfully following 

I was finally able to get tracing results from both sides of the equation