SharePoint 2010/2013 site configured to use Microsoft Account fails


On a SharePoint site which is configured to use Microsoft Account (earlier known as Windows Live ID), you get the following error message:

Server Error in ‘/’ Application.

 ID4037: The key needed to verify the signature could not be resolved from the following security

key identifier ‘SecurityKeyldentifier


    IsReadOnly = False,

    Count = 2,

    Clause[0] = X5O9SubjectKeyldentifierClause(SKI = Ox9A8ABF4EFAE3C7CA72D7A745A8DA9A11CE94OAFE),

    Clause[1] = KeyNameldentifierClause(KeyName = ‘Window Live ID’)

‘. Ensure that the SecurityTokenResolver is populated with the required key.


The Microsoft Account certificate might not have been installed on the server or might be out of date.


  1. Create a new certificate (.cer file) using key from FederationMetaData.xml file. For Microsoft account/LIVEID FederationMetaData.xml, go to this link and take the 1st certificate key. Do verify the validity of the certificate and ensure that the expiry is set to 11/11/2016 
  2. Install this certificate in certificate store under following sections by using Certutil or Certmgr.msc console on all SharePoint servers
      a.       SharePoint
      b.      Trusted Root Certification Authorities
      c.       Trusted People

      $certloc ="<pathtotheCertificatefile>"
      certutil -addstore -f "TrustedPeople" $certloc
      certutil -addstore -f "SharePoint" $certloc
      certutil -addstore -f "TrustedRoot" $certloc
    certutil -addstore -f "Root" $certloc
  3. Update SharePoint's SPTrustedRootAuthority to use this new certificate
      $certloc = "<pathtotheCertificatefile>"
      $rootcert = Get-PfxCertificate $certloc
      $liveIDRoot=Get-SPTrustedRootAuthority <LiveID>
      Set-SPTrustedRootAuthority -Identity $liveIDRoot -Certificate $rootcert
    Note: Replace LiveID here with the name of the Trusted root authority. Run "Get-SPTrustedRootAuthority" to identify the name of the existing trusted root authority.
  4. Update SharePoint's SPTrustedIdentityTokenIssuer to use this new certificate 
      $certloc = "<pathtotheCerificatefile>"
      $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
      $LiveIDSTS=Get-SPTrustedIdentityTokenIssuer  <LiveID>
      Set-SPTrustedIdentityTokenIssuer -Identity $LiveIDSTS -ImportTrustCertificate $cert

    Note: Replace LiveID here with the name of the token issuer. Run "Get-SPTrustedIdentityTokenIssuer" to identify the name of the existing trusted token issuer.
  5. Restart IIS

More Information

For more details on Configuring claims-based authentication using Windows Live ID refer

Article ID: 2915817 - Last Review: 9 Dec 2013 - Revision: 1