SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

First of all let’s talk about STS (Security Token Service)

  • An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. (refer- https://technet.microsoft.com/en-us/library/ee806864.aspx)
  • STS is neither a SharePoint service, nor a window service, but actually a WCF web service
  • Many SharePoint Services like User Profile Sync Service, SharePoint Search Service are Claims aware and such SharePoint Services will need STS to be up and running in a stable condition
  • Let's take Search as an example: Let's take a case where Query Component is hosted on the App Server and a User hits the WFE and performs a Search. In this case the WFE will communicate with the Query Component on the App Server by making use of its STS to get the Claim, and the same is sent to the App Server. Without STS working, this communication will not be possible.
  • Also User Profile Synchronization Service (UPSS) cannot start if the STS is not in a healthy condition
  • Not only SharePoint Services, even Web Applications will require STS to be working for the Intra/Inter Farm Authentication.
  • The below figure shows that within a SharePoint Farm the Intra/Inter Farm Authentication happens using Claims Authentication, and since it uses Claims Authentication, it is more than required for the STS to be working

I have seen numerous cases where the UPSS fails to start because of the unavailability of the STS. In such cases you can also see following errors logged:

In SharePoint Health Analyzer: "The Security Token Service is unavailable"

In SharePoint ULS logs while starting UPSS, errors like:

  • An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error (OR)

You may not see all the errors as shown above, I'm just trying to collate the common errors seen while starting UPSS when STS is broken.

To troubleshoot such issues, it will be good to check if we can browse to the STS Web Service page.

To browse you have to go to IIS Manager --> Sites --> SharePoint WebServices --> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse (as shown below)

 

The expected page to see if STS is working will be as shown below:

As long as you get the above message while browsing, be sure that the STS is working just fine. In cases where STS is broken, you will not be able to browse to the above web service. You will get errors like Server Error in '\' Application, or Internet Explorer cannot display the web page etc.

How to fix STS?

Step One:

Right click on the SecurityTokenServiceApplication and click Explore, copy the web.config and compare the file with the file attached, which is completely out of the box with no modifications. If you find a lot of changes in the web.config file on your Farm with that of mine, replace the file on SecurityTokenServiceApplication(please also have the copy of the original web.config), perform an IIS reset and check if the STS page comes as expected

Step Two:

A BIG Thank You! To Abhishek Saigal (one of the finest resource in SharePoint Admin world) who came up with this fix, which has a success rate of 99.99%

I have tried this fix on numerous User Profile cases where UPSS could never start due to broken STS, and after STS was fixed UPSS started like a charm!

The below PowerShell commands re-provisions all the SharePoint Web Services, and this is one of the safest way to get the STS working.

There is no need to be afraid of losing any data/applications on SharePoint while/after running the below commands

Run the following commands one by one on SharePoint PowerShell:

Note: This blog has been moved to:

https://thesharegear.com/sts/

Kindly visit the above link for the possible fix.. Thank you

Comments

  • Anonymous
    January 01, 2003
    Thank you so much !

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I tried the solution presented in this original post with no luck. Is the offer to help fix a search failure still active?

    I'm running SBS 2008 which had SP Foundation on it. I installed a full copy of SP 2010 Standard probably four years ago and am just now wanting to actually use it. I have no need for features of later SP versions.

    I'm very much an amateur admin when it comes to SP...VERY amateur.

    Here is what I believe are two representative entries from the log file.


    10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query g1j9 Exception Internal server error exception: System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046


    10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query fm9a Unexpected CoreResultsWebPart::OnInit: Exception initializing: System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
    at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046

    Any further guidance would be greatly appreciated.

    Ken

  • Anonymous
    January 01, 2003
    Syed, Are you still checking this blog entry? I've encountered an issue with the script provided above and wouldn't mind some assistance. Many thanks

  • Anonymous
    January 01, 2003
    In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:

    1. Opened For SharePoint PowerShell with administrator privileges
    2.
    $WebAppName = "YouWebApplication"
    $wa = get-SPWebApplication $WebAppName
    $wa.UseClaimsAuthentication = $true
    $wa.Update()
    $wa.MigrateUsers($true)
    $wa.ProvisionGlobally()

    This procedure may take a while, be patient, remember to run this procedure for the other web application


  • Anonymous
    January 01, 2003
    Thanks Syed... This worked for me, saved my Day!!!

  • Anonymous
    January 01, 2003
    Didnt help me. I accidently extended a web app over the Sharepoint Web Services web app. Now everything has gone kaboom! The error that is being thrown is An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. I followed all your steps but no joy! :(

  • Anonymous
    January 01, 2003
    Thanks a Ton..! This article helped me to resolve Search and UPA both.  

  • Anonymous
    May 03, 2012
    No joy. Made no difference. STS is unavailable. I just scaled the farm from two tier (1 SP2010 and 1 SQL Server) to 3 tier (2 WFE and 2 app servers).

  • Anonymous
    May 17, 2012
    If the Powershell commands in step two come back with "The Term (whatever) is not recognized as the name of a...bla bla bla." then type “Get-PSSnapin -Registered” (in powershell) first...and it should work...at least it did for me.

  • Anonymous
    May 17, 2012
    It is also of note that this solution worked for me and I have access to all my share point sites again. I owe you a beer Syed. Many thanks.

  • Anonymous
    January 11, 2013
    Update for folks who see something like this today... could be related to KB275629 -- www.tylercranston.com/.../kb2756920-causes-problems-with.html

  • Anonymous
    January 21, 2013
    Thanks Razmus, that is the error we get after the windows patching!!

  • Anonymous
    January 21, 2013
    This did not work for me in my windows 7 dev environment, but I found the issue uninstalling a windows update like this... social.technet.microsoft.com/.../b5f18b40-348d-4a27-908f-1822dba67c73

  • Anonymous
    March 28, 2013
    Thanks. The given solution is worked for me,

  • Anonymous
    May 02, 2013
    The reprovisioning of the Security Token Service did not solve my problem. Great article though.

  • Anonymous
    May 29, 2013
    i had the same probleme in SP2013 => resolved , you saved my life Thank you

  • Anonymous
    July 09, 2013
    Great article, thank you! I've tried  all the above with no luck. Also tried installing the hotfix and it says its not applicable to my computer. Anyone have any other ideas as to why I still get "Security Token Service is unavailable" and can't start the Security Token Service? Thank you!

  • Anonymous
    August 01, 2013
    I think you are running on RTM version of the SP 2010. I have seen this issue getting fixed if you upgrade to SP1...

  • Anonymous
    September 16, 2013
    I got a completely different problem with security token service, but I tried the powershell trick, and guess what?  it worked!   Thank you very much. This should be on Microsoft website!

  • Anonymous
    October 15, 2013
    The presented solutions did not work for me. The services still give a "HTTP Error 503. The service is unavailable." error.

  • Anonymous
    November 27, 2013
    Security Token Service stopped working as described after a iisreset (one of many, nothing special about this particular one). I tried step 2 but it didn't fix it. Didn't try step 1 at it seems like a long shot (no offense) I sure didn't change the STS web.config, so it was sharepoint itself that corrupted it?

  • Anonymous
    February 11, 2014
    Manual AAM and IIS binding whereby having multiple hostnames using same protocol can interfer with STS. IE - You have a webapp that has two different hostname whereby you created AAM and IIS binding manually without extending the webapp via SP.

  • Anonymous
    February 18, 2014
    Thank you very much !!!

  • Anonymous
    March 12, 2014
    I am having this issue, and this fix has not helped. Any suggestions?

  • Anonymous
    April 03, 2014
    I'm one of the .01% I guess :(

  • Anonymous
    April 10, 2014
    I faced this issue on SP 2013 after I did an in-place upgrade from WS2012 to WS2012R2. Re-provisioning did the trick. Thanks!

  • Anonymous
    April 11, 2014
    Man, you made me look smart!

  • Anonymous
    April 18, 2014
    Thank you SO much for the script at the end. It fixed my problems with Managed Metadata, UPS, and Token Security Services. You just saved my weekend!

  • Anonymous
    April 29, 2014
    In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:

    1. Opened For SharePoint PowerShell with administrator privileges
    2.
    $WebAppName = "YouWebApplication"
    $wa = get-SPWebApplication $WebAppName
    $wa.UseClaimsAuthentication = $true
    $wa.Update()
    $wa.MigrateUsers($true)
    $wa.ProvisionGlobally()


    This takes a while, do not worry is normal, remember that you must perform this procedure for each of your web application.

  • Anonymous
    June 10, 2014
    I am running a SBS2011 Standard server, when I get to the "$h.Provision()" command my server just locks up, how long does it usually take to run that command?

  • Anonymous
    June 18, 2014
    Really very nice Blog and very helpful :) :)

  • Anonymous
    July 04, 2014
    Thank you very much for this fix. Worked perfectly!

  • Anonymous
    July 05, 2014
    one reason of this error can be that session answer came after that message or user token is expired. Why? Messing with the internal clock and changing date beacause you want to extend sharepoint trial period (most probably)

  • Anonymous
    July 07, 2014
    Thanks - that solved my problem

  • Anonymous
    July 08, 2014
    Nice and very helpful post

  • Anonymous
    July 15, 2014
    Did not work for me.

    However - simply clicking 'Start' on a few Application Pools (in IIS Manager) did the trick.

    (I guess they were stopped in a botched Windows Update, and I was a little too surprised that they were still stopped after a re-boot.)

  • Anonymous
    July 28, 2014
    Yes, this works, wow, thank you so much!!

  • Anonymous
    July 31, 2014
    I was told to do this by another SP admin. Neither works because I get stuck at provision an it just hangs but should only take a few minutes.

    $services = Get-SPServiceApplication
    $services = Get-SPServiceApplication | ?{$_ -match "Security"}
    $services.Status
    $services.Provision()

  • Anonymous
    August 17, 2014
    Hi ,

    I am getting 500 error for all web app expect central admin and my security token service is working fine.

    Thanks.
    Rohidas

  • Anonymous
    August 18, 2014
    The comment has been removed

  • Anonymous
    September 04, 2014
    The comment has been removed

  • Anonymous
    September 19, 2014
    The comment has been removed

  • Anonymous
    September 24, 2014
    thanksssss

  • Anonymous
    October 28, 2014
    Thanks a ton to syed. This blog helped me to resolve the issue

  • Anonymous
    November 07, 2014
    What is UPPS? How to start.? I m not getting it... Please guide...

  • Anonymous
    November 07, 2014
    In my case, the application pool was just down. I updated the password of the application pool account and that fixed it.
    Thanks for the pointer to the webservice though.

  • Anonymous
    November 24, 2014
    This fixed a similar condition on our SP 2013 farm. Thanks for posting.

  • Anonymous
    December 09, 2014
    Below are the output for command-
    --------------------------------------------
    Access Services 2010
    Secure Store Service
    PowerPoint Conversion Service Application
    State Service
    PerformancePoint Service Application
    Visio Graphics Service
    Managed Metadata Service
    Workflow Service Application
    App Management Service
    Excel Services Application
    SecurityTokenServiceApplication
    Machine Translation Service
    Topology
    WSS_UsageApplication
    b694fcba-179b-4645-b531-ab5ff197b338
    Word Automation Services
    MySite
    Business Data Connectivity Service
    Work Management Service Application
    Access Services
    Search Service Application
    ----------------------------------------------
    After running above command its still showing "User Profile Sync is not currently provisioned" and following services not started- I checked STS and i am able to browse that and in my case MySite is User Profile
    1. User Profile Synchronization Service is in stopped mode
    2. Forefront Identity Manager Service is in disable mode
    3. Forefront Identity Manager Synchronization Service is in disable mode

  • Anonymous
    February 08, 2015
    Thanks! after running to ps command I was able to start the STS and resolve the issue

  • Anonymous
    March 04, 2015
    after running the commands, powershell hangs and does not produce a list of services. Where is the enclosed web.config file you mention in step 1?

  • Anonymous
    March 21, 2015
    It worked! You're the greatest! Thanks for posting this repair instructions!

  • Anonymous
    April 23, 2015
    Thank you Syed. Very informative and it fixed our issue also

  • Anonymous
    May 12, 2015
    I am facing the same issue and i have included the IncludeExceptionDetailInFaults after that i am getting the error Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider.I am having Windows Server 2008 R2 SP1 and all the resolutions provided are to uninstall certain KB' s which is not applicable for me.

    Please help.

  • Anonymous
    May 22, 2015
    faadu..

  • Anonymous
    August 05, 2015
    No luck. After an outage, the STS is broken on both app servers in 2 different farms (same AD).

  • Anonymous
    September 08, 2015
    Thanks man. This solution saved my life.

  • Anonymous
    October 15, 2015
    Having had a very similar problem, along with many other associated problems, which put my work at an altogether unacceptable, extended standstill, I decided to post the resolution I found to as many forums relating to this issue that I could.
    The resolution that I found was one of two things that I did at the same time. (duh – not a smart tactic, but I was getting desperate…) I am not willing to spend the time to isolate the effects of each of these motions, so it could be one, or the other, or both.
    1. I noticed that SharePoint was moving the Farm Account Security Managed Account (The user account that Farm Account uses for credentials) from the Administrators group, to the WSS_ADMIN_WPG group. In my case Central Admin was being run on the same machine as the SharePoint Server. I run a single server developer environment. So the Farm Account needed “Log on Locally” privileges. WSS_ADMIN_WPG group did not appear to have the needed privilege, where the Administrators group did. Strangely enough though, the Administrators group is a member of the WSS_ADMIN_WPG group. So I moved the above mentioned user account back into the Administrators group.
    Let me know if I’m not seeing something here….
    2. Upon examining the SecurityTokenServiceApplicationPool (the name I gave for the Security Token Service’s Application Pool), I notice that the Enable 32-bit Applications setting under the Advanced Settings had been set to True. This to me was strange as I remembered installing the 64 bit versions of everything, because the Server machine on which I was working was indeed 64 bit. So I set it to False.
    After those two simple motions I did all the familiar and necessary things to be done to make sure that the system and SharePoint was running with all the latest settings and tried what I had been doing once again, and to my amazement and shock (after having tried everything on the internet several times each) it worked! I am now happily moving forward in my work! At least until the next roadblock comes along.
    Weird, dumb and stupid, what were the chances? Maybe it will be worth a quick look for you.

  • Anonymous
    October 21, 2015
    It is stuck at $h.provision(), no messages. any idea?

  • Anonymous
    December 09, 2015
    Hi All,

    I have a question : We had our server reboot and DB Deployment(DB Server) and after that the sharepoint application login wasn't working. We checked logs and we were getting error around SecurityToken so we recycled the service and it started working again. (Though in app pool the service was already at started state

    I want to know whether server reboot /DB Deployment can be the issue. If yes, what issue it got which got fixed after the service restart.

  • Anonymous
    March 19, 2016
    Thank you so much..you save our life!!!!

  • Anonymous
    March 30, 2016
    The comment has been removed

  • Anonymous
    March 30, 2016
    The comment has been removed

  • Anonymous
    May 12, 2016
    Thanks a lot for documenting this article brother! Saved our production environment from being rebuilt. It worked like magic :)cheers

  • Anonymous
    May 19, 2016
    The comment has been removed

  • Anonymous
    June 29, 2016
    WORKED! Thank you!

  • Anonymous
    October 24, 2016
    Thanks so much! We hadn't seen this before and Abhishek's solution worked for us! Really appreciate it!

  • Anonymous
    March 02, 2017
    very helpful, saved lot of time