SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

First of all let’s talk about STS (Security Token Service)

• An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. (refer- https://technet.microsoft.com/en-us/library/ee806864.aspx)

• STS is neither a SharePoint service, nor a window service, but actually a WCF web service

• Many SharePoint Services like User Profile Sync Service, SharePoint Search Service are Claims aware and such SharePoint Services will need STS to be up and running in a stable condition

• Let's take Search as an example: Let's take a case where Query Component is hosted on the App Server and a User hits the WFE and performs a Search. In this case the WFE will communicate with the Query Component on the App Server by making use of its STS to get the Claim, and the same is sent to the App Server. Without STS working, this communication will not be possible.

• Also User Profile Synchronization Service (UPSS) cannot start if the STS is not in a healthy condition

• Not only SharePoint Services, even Web Applications will require STS to be working for the Intra/Inter Farm Authentication.

• The below figure shows that within a SharePoint Farm the Intra/Inter Farm Authentication happens using Claims Authentication, and since it uses Claims Authentication, it is more than required for the STS to be working

I have seen numerous cases where the UPSS fails to start because of the unavailability of the STS. In such cases you can also see following errors logged:

In SharePoint Health Analyzer: "The Security Token Service is unavailable"

In SharePoint ULS logs while starting UPSS, errors like:

• An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error (OR)

• Request for security token failed with exception: System.ServiceModel.ServiceActivationException: The requested service, 'https://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated (OR)

• An exception occurred when trying to issue security token: The requested service, 'https://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated

You may not see all the errors as shown above, I'm just trying to collate the common errors seen while starting UPSS when STS is broken.

To troubleshoot such issues, it will be good to check if we can browse to the STS Web Service page.

To browse you have to go to IIS Manager --> Sites --> SharePoint WebServices --> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse (as shown below)

The expected page to see if STS is working will be as shown below:

As long as you get the above message while browsing, be sure that the STS is working just fine. In cases where STS is broken, you will not be able to browse to the above web service. You will get errors like Server Error in '\' Application, or Internet Explorer cannot display the web page etc.

How to fix STS?

Step One:

Right click on the SecurityTokenServiceApplication and click Explore, copy the web.config and compare the file with the file attached, which is completely out of the box with no modifications. If you find a lot of changes in the web.config file on your Farm with that of mine, replace the file on SecurityTokenServiceApplication(please also have the copy of the original web.config), perform an IIS reset and check if the STS page comes as expected

Step Two:

A BIG Thank You! To Abhishek Saigal (one of the finest resource in SharePoint Admin world) who came up with this fix, which has a success rate of 99.99%

I have tried this fix on numerous User Profile cases where UPSS could never start due to broken STS, and after STS was fixed UPSS started like a charm!

The below PowerShell commands re-provisions all the SharePoint Web Services, and this is one of the safest way to get the STS working.

There is no need to be afraid of losing any data/applications on SharePoint while/after running the below commands

Run the following commands one by one on SharePoint PowerShell:

Note: This blog has been moved to:

https://thesharegear.com/sts/

Kindly visit the above link for the possible fix.. Thank you

Comments

• Anonymous
  January 01, 2003
  Thank you so much !

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I tried the solution presented in this original post with no luck. Is the offer to help fix a search failure still active?
  
  I'm running SBS 2008 which had SP Foundation on it. I installed a full copy of SP 2010 Standard probably four years ago and am just now wanting to actually use it. I have no need for features of later SP versions.
  
  I'm very much an amateur admin when it comes to SP...VERY amateur.
  
  Here is what I believe are two representative entries from the log file.
  
  
  10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query g1j9 Exception Internal server error exception: System.NullReferenceException: Object reference not set to an instance of an object.
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) System.NullReferenceException: Object reference not set to an instance of an object.
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046
  
  
  10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query fm9a Unexpected CoreResultsWebPart::OnInit: Exception initializing: System.NullReferenceException: Object reference not set to an instance of an object.
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
  at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046
  
  Any further guidance would be greatly appreciated.
  
  Ken
  

• Anonymous
  January 01, 2003
  Syed, Are you still checking this blog entry? I've encountered an issue with the script provided above and wouldn't mind some assistance. Many thanks

• Anonymous
  January 01, 2003
  In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:
  
  1. Opened For SharePoint PowerShell with administrator privileges
  2.
  $WebAppName = "YouWebApplication"
  $wa = get-SPWebApplication $WebAppName
  $wa.UseClaimsAuthentication = $true
  $wa.Update()
  $wa.MigrateUsers($true)
  $wa.ProvisionGlobally()
  
  This procedure may take a while, be patient, remember to run this procedure for the other web application
  
  
  

• Anonymous
  January 01, 2003
  Thanks Syed... This worked for me, saved my Day!!!

• Anonymous
  January 01, 2003
  Didnt help me. I accidently extended a web app over the Sharepoint Web Services web app. Now everything has gone kaboom! The error that is being thrown is An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. I followed all your steps but no joy! :(

• Anonymous
  January 01, 2003
  Thanks a Ton..! This article helped me to resolve Search and UPA both.  

• Anonymous
  May 03, 2012
  No joy. Made no difference. STS is unavailable. I just scaled the farm from two tier (1 SP2010 and 1 SQL Server) to 3 tier (2 WFE and 2 app servers).

• Anonymous
  May 17, 2012
  If the Powershell commands in step two come back with "The Term (whatever) is not recognized as the name of a...bla bla bla." then type “Get-PSSnapin -Registered” (in powershell) first...and it should work...at least it did for me.

• Anonymous
  May 17, 2012
  It is also of note that this solution worked for me and I have access to all my share point sites again. I owe you a beer Syed. Many thanks.

• Anonymous
  January 11, 2013
  Update for folks who see something like this today... could be related to KB275629 -- www.tylercranston.com/.../kb2756920-causes-problems-with.html

• Anonymous
  January 21, 2013
  Thanks Razmus, that is the error we get after the windows patching!!

• Anonymous
  January 21, 2013
  This did not work for me in my windows 7 dev environment, but I found the issue uninstalling a windows update like this... social.technet.microsoft.com/.../b5f18b40-348d-4a27-908f-1822dba67c73

• Anonymous
  March 28, 2013
  Thanks. The given solution is worked for me,

• Anonymous
  May 02, 2013
  The reprovisioning of the Security Token Service did not solve my problem. Great article though.

• Anonymous
  May 29, 2013
  i had the same probleme in SP2013 => resolved , you saved my life Thank you

• Anonymous
  July 09, 2013
  Great article, thank you! I've tried  all the above with no luck. Also tried installing the hotfix and it says its not applicable to my computer. Anyone have any other ideas as to why I still get "Security Token Service is unavailable" and can't start the Security Token Service? Thank you!

• Anonymous
  August 01, 2013
  I think you are running on RTM version of the SP 2010. I have seen this issue getting fixed if you upgrade to SP1...

• Anonymous
  September 16, 2013
  I got a completely different problem with security token service, but I tried the powershell trick, and guess what?  it worked!   Thank you very much. This should be on Microsoft website!

• Anonymous
  October 15, 2013
  The presented solutions did not work for me. The services still give a "HTTP Error 503. The service is unavailable." error.

• Anonymous
  November 27, 2013
  Security Token Service stopped working as described after a iisreset (one of many, nothing special about this particular one). I tried step 2 but it didn't fix it. Didn't try step 1 at it seems like a long shot (no offense) I sure didn't change the STS web.config, so it was sharepoint itself that corrupted it?

• Anonymous
  February 11, 2014
  Manual AAM and IIS binding whereby having multiple hostnames using same protocol can interfer with STS. IE - You have a webapp that has two different hostname whereby you created AAM and IIS binding manually without extending the webapp via SP.

• Anonymous
  February 18, 2014
  Thank you very much !!!

• Anonymous
  March 12, 2014
  I am having this issue, and this fix has not helped. Any suggestions?
  

• Anonymous
  April 03, 2014
  I'm one of the .01% I guess :(

• Anonymous
  April 10, 2014
  I faced this issue on SP 2013 after I did an in-place upgrade from WS2012 to WS2012R2. Re-provisioning did the trick. Thanks!

• Anonymous
  April 11, 2014
  Man, you made me look smart!

• Anonymous
  April 18, 2014
  Thank you SO much for the script at the end. It fixed my problems with Managed Metadata, UPS, and Token Security Services. You just saved my weekend!

• Anonymous
  April 29, 2014
  In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:
  
  1. Opened For SharePoint PowerShell with administrator privileges
  2.
  $WebAppName = "YouWebApplication"
  $wa = get-SPWebApplication $WebAppName
  $wa.UseClaimsAuthentication = $true
  $wa.Update()
  $wa.MigrateUsers($true)
  $wa.ProvisionGlobally()
  
  
  This takes a while, do not worry is normal, remember that you must perform this procedure for each of your web application.

• Anonymous
  June 10, 2014
  I am running a SBS2011 Standard server, when I get to the "$h.Provision()" command my server just locks up, how long does it usually take to run that command?

• Anonymous
  June 18, 2014
  Really very nice Blog and very helpful :) :)

• Anonymous
  July 04, 2014
  Thank you very much for this fix. Worked perfectly!

• Anonymous
  July 05, 2014
  one reason of this error can be that session answer came after that message or user token is expired. Why? Messing with the internal clock and changing date beacause you want to extend sharepoint trial period (most probably)

• Anonymous
  July 07, 2014
  Thanks - that solved my problem

• Anonymous
  July 08, 2014
  Nice and very helpful post
  

• Anonymous
  July 15, 2014
  Did not work for me.
  
  However - simply clicking 'Start' on a few Application Pools (in IIS Manager) did the trick.
  
  (I guess they were stopped in a botched Windows Update, and I was a little too surprised that they were still stopped after a re-boot.)

• Anonymous
  July 28, 2014
  Yes, this works, wow, thank you so much!!

• Anonymous
  July 31, 2014
  I was told to do this by another SP admin. Neither works because I get stuck at provision an it just hangs but should only take a few minutes.
  
  $services = Get-SPServiceApplication
  $services = Get-SPServiceApplication | ?{$_ -match "Security"}
  $services.Status
  $services.Provision()
  
  

• Anonymous
  August 17, 2014
  Hi ,
  
  I am getting 500 error for all web app expect central admin and my security token service is working fine.
  
  Thanks.
  Rohidas

• Anonymous
  August 18, 2014
  The comment has been removed

• Anonymous
  September 04, 2014
  The comment has been removed

• Anonymous
  September 19, 2014
  The comment has been removed

• Anonymous
  September 24, 2014
  thanksssss

• Anonymous
  October 28, 2014
  Thanks a ton to syed. This blog helped me to resolve the issue

• Anonymous
  November 07, 2014
  What is UPPS? How to start.? I m not getting it... Please guide...

• Anonymous
  November 07, 2014
  In my case, the application pool was just down. I updated the password of the application pool account and that fixed it.
  Thanks for the pointer to the webservice though.

• Anonymous
  November 24, 2014
  This fixed a similar condition on our SP 2013 farm. Thanks for posting.

• Anonymous
  December 09, 2014
  Below are the output for command-
  --------------------------------------------
  Access Services 2010
  Secure Store Service
  PowerPoint Conversion Service Application
  State Service
  PerformancePoint Service Application
  Visio Graphics Service
  Managed Metadata Service
  Workflow Service Application
  App Management Service
  Excel Services Application
  SecurityTokenServiceApplication
  Machine Translation Service
  Topology
  WSS_UsageApplication
  b694fcba-179b-4645-b531-ab5ff197b338
  Word Automation Services
  MySite
  Business Data Connectivity Service
  Work Management Service Application
  Access Services
  Search Service Application
  ----------------------------------------------
  After running above command its still showing "User Profile Sync is not currently provisioned" and following services not started- I checked STS and i am able to browse that and in my case MySite is User Profile
  1. User Profile Synchronization Service is in stopped mode
  2. Forefront Identity Manager Service is in disable mode
  3. Forefront Identity Manager Synchronization Service is in disable mode

• Anonymous
  February 08, 2015
  Thanks! after running to ps command I was able to start the STS and resolve the issue
  

• Anonymous
  March 04, 2015
  after running the commands, powershell hangs and does not produce a list of services. Where is the enclosed web.config file you mention in step 1?

• Anonymous
  March 21, 2015
  It worked! You're the greatest! Thanks for posting this repair instructions!

• Anonymous
  April 23, 2015
  Thank you Syed. Very informative and it fixed our issue also

• Anonymous
  May 12, 2015
  I am facing the same issue and i have included the IncludeExceptionDetailInFaults after that i am getting the error Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider.I am having Windows Server 2008 R2 SP1 and all the resolutions provided are to uninstall certain KB' s which is not applicable for me.
  
  Please help.

• Anonymous
  May 22, 2015
  faadu..

• Anonymous
  August 05, 2015
  No luck. After an outage, the STS is broken on both app servers in 2 different farms (same AD).

• Anonymous
  September 08, 2015
  Thanks man. This solution saved my life.

• Anonymous
  October 15, 2015
  Having had a very similar problem, along with many other associated problems, which put my work at an altogether unacceptable, extended standstill, I decided to post the resolution I found to as many forums relating to this issue that I could.
  The resolution that I found was one of two things that I did at the same time. (duh – not a smart tactic, but I was getting desperate…) I am not willing to spend the time to isolate the effects of each of these motions, so it could be one, or the other, or both.
  1. I noticed that SharePoint was moving the Farm Account Security Managed Account (The user account that Farm Account uses for credentials) from the Administrators group, to the WSS_ADMIN_WPG group. In my case Central Admin was being run on the same machine as the SharePoint Server. I run a single server developer environment. So the Farm Account needed “Log on Locally” privileges. WSS_ADMIN_WPG group did not appear to have the needed privilege, where the Administrators group did. Strangely enough though, the Administrators group is a member of the WSS_ADMIN_WPG group. So I moved the above mentioned user account back into the Administrators group.
  Let me know if I’m not seeing something here….
  2. Upon examining the SecurityTokenServiceApplicationPool (the name I gave for the Security Token Service’s Application Pool), I notice that the Enable 32-bit Applications setting under the Advanced Settings had been set to True. This to me was strange as I remembered installing the 64 bit versions of everything, because the Server machine on which I was working was indeed 64 bit. So I set it to False.
  After those two simple motions I did all the familiar and necessary things to be done to make sure that the system and SharePoint was running with all the latest settings and tried what I had been doing once again, and to my amazement and shock (after having tried everything on the internet several times each) it worked! I am now happily moving forward in my work! At least until the next roadblock comes along.
  Weird, dumb and stupid, what were the chances? Maybe it will be worth a quick look for you.
  

• Anonymous
  October 21, 2015
  It is stuck at $h.provision(), no messages. any idea?

• Anonymous
  December 09, 2015
  Hi All,
  
  I have a question : We had our server reboot and DB Deployment(DB Server) and after that the sharepoint application login wasn't working. We checked logs and we were getting error around SecurityToken so we recycled the service and it started working again. (Though in app pool the service was already at started state
  
  I want to know whether server reboot /DB Deployment can be the issue. If yes, what issue it got which got fixed after the service restart.

• Anonymous
  March 19, 2016
  Thank you so much..you save our life!!!!

• Anonymous
  March 30, 2016
  The comment has been removed

• Anonymous
  March 30, 2016
  The comment has been removed

• Anonymous
  May 12, 2016
  Thanks a lot for documenting this article brother! Saved our production environment from being rebuilt. It worked like magic :)cheers

• Anonymous
  May 19, 2016
  The comment has been removed

• Anonymous
  June 29, 2016
  WORKED! Thank you!

• Anonymous
  October 24, 2016
  Thanks so much! We hadn't seen this before and Abhishek's solution worked for us! Really appreciate it!

• Anonymous
  March 02, 2017
  very helpful, saved lot of time