SharePoint 2010: Nailing the error "The Security Token Service is unavailable"
First of all let’s talk about STS (Security Token Service)
- An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. (refer- https://technet.microsoft.com/en-us/library/ee806864.aspx)
- STS is neither a SharePoint service, nor a window service, but actually a WCF web service
- Many SharePoint Services like User Profile Sync Service, SharePoint Search Service are Claims aware and such SharePoint Services will need STS to be up and running in a stable condition
- Let's take Search as an example: Let's take a case where Query Component is hosted on the App Server and a User hits the WFE and performs a Search. In this case the WFE will communicate with the Query Component on the App Server by making use of its STS to get the Claim, and the same is sent to the App Server. Without STS working, this communication will not be possible.
- Also User Profile Synchronization Service (UPSS) cannot start if the STS is not in a healthy condition
- Not only SharePoint Services, even Web Applications will require STS to be working for the Intra/Inter Farm Authentication.
- The below figure shows that within a SharePoint Farm the Intra/Inter Farm Authentication happens using Claims Authentication, and since it uses Claims Authentication, it is more than required for the STS to be working
I have seen numerous cases where the UPSS fails to start because of the unavailability of the STS. In such cases you can also see following errors logged:
In SharePoint Health Analyzer: "The Security Token Service is unavailable"
In SharePoint ULS logs while starting UPSS, errors like:
- An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error (OR)
- Request for security token failed with exception: System.ServiceModel.ServiceActivationException: The requested service, 'https://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated (OR)
- An exception occurred when trying to issue security token: The requested service, 'https://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated
You may not see all the errors as shown above, I'm just trying to collate the common errors seen while starting UPSS when STS is broken.
To troubleshoot such issues, it will be good to check if we can browse to the STS Web Service page.
To browse you have to go to IIS Manager --> Sites --> SharePoint WebServices --> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse (as shown below)
The expected page to see if STS is working will be as shown below:
As long as you get the above message while browsing, be sure that the STS is working just fine. In cases where STS is broken, you will not be able to browse to the above web service. You will get errors like Server Error in '\' Application, or Internet Explorer cannot display the web page etc.
How to fix STS?
Step One:
Right click on the SecurityTokenServiceApplication and click Explore, copy the web.config and compare the file with the file attached, which is completely out of the box with no modifications. If you find a lot of changes in the web.config file on your Farm with that of mine, replace the file on SecurityTokenServiceApplication(please also have the copy of the original web.config), perform an IIS reset and check if the STS page comes as expected
Step Two:
A BIG Thank You! To Abhishek Saigal (one of the finest resource in SharePoint Admin world) who came up with this fix, which has a success rate of 99.99%
I have tried this fix on numerous User Profile cases where UPSS could never start due to broken STS, and after STS was fixed UPSS started like a charm!
The below PowerShell commands re-provisions all the SharePoint Web Services, and this is one of the safest way to get the STS working.
There is no need to be afraid of losing any data/applications on SharePoint while/after running the below commands
Run the following commands one by one on SharePoint PowerShell:
Note: This blog has been moved to:
Kindly visit the above link for the possible fix.. Thank you
Comments
Anonymous
January 01, 2003
Thank you so much !Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
I tried the solution presented in this original post with no luck. Is the offer to help fix a search failure still active?
I'm running SBS 2008 which had SP Foundation on it. I installed a full copy of SP 2010 Standard probably four years ago and am just now wanting to actually use it. I have no need for features of later SP versions.
I'm very much an amateur admin when it comes to SP...VERY amateur.
Here is what I believe are two representative entries from the log file.
10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query g1j9 Exception Internal server error exception: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046
10/02/2014 10:14:20.52 w3wp.exe (0x07F0) 0x1E14 SharePoint Server Search Query fm9a Unexpected CoreResultsWebPart::OnInit: Exception initializing: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.SetPropertiesOnQueryReader()
at Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart.OnInit(EventArgs e) e55e182d-1b6a-44d5-93f0-fca4492b7046
Any further guidance would be greatly appreciated.
KenAnonymous
January 01, 2003
Syed, Are you still checking this blog entry? I've encountered an issue with the script provided above and wouldn't mind some assistance. Many thanksAnonymous
January 01, 2003
In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:
1. Opened For SharePoint PowerShell with administrator privileges
2.
$WebAppName = "YouWebApplication"
$wa = get-SPWebApplication $WebAppName
$wa.UseClaimsAuthentication = $true
$wa.Update()
$wa.MigrateUsers($true)
$wa.ProvisionGlobally()
This procedure may take a while, be patient, remember to run this procedure for the other web applicationAnonymous
January 01, 2003
Thanks Syed... This worked for me, saved my Day!!!Anonymous
January 01, 2003
Didnt help me. I accidently extended a web app over the Sharepoint Web Services web app. Now everything has gone kaboom! The error that is being thrown is An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. I followed all your steps but no joy! :(Anonymous
January 01, 2003
Thanks a Ton..! This article helped me to resolve Search and UPA both.Anonymous
May 03, 2012
No joy. Made no difference. STS is unavailable. I just scaled the farm from two tier (1 SP2010 and 1 SQL Server) to 3 tier (2 WFE and 2 app servers).Anonymous
May 17, 2012
If the Powershell commands in step two come back with "The Term (whatever) is not recognized as the name of a...bla bla bla." then type “Get-PSSnapin -Registered” (in powershell) first...and it should work...at least it did for me.Anonymous
May 17, 2012
It is also of note that this solution worked for me and I have access to all my share point sites again. I owe you a beer Syed. Many thanks.Anonymous
January 11, 2013
Update for folks who see something like this today... could be related to KB275629 -- www.tylercranston.com/.../kb2756920-causes-problems-with.htmlAnonymous
January 21, 2013
Thanks Razmus, that is the error we get after the windows patching!!Anonymous
January 21, 2013
This did not work for me in my windows 7 dev environment, but I found the issue uninstalling a windows update like this... social.technet.microsoft.com/.../b5f18b40-348d-4a27-908f-1822dba67c73Anonymous
March 28, 2013
Thanks. The given solution is worked for me,Anonymous
May 02, 2013
The reprovisioning of the Security Token Service did not solve my problem. Great article though.Anonymous
May 29, 2013
i had the same probleme in SP2013 => resolved , you saved my life Thank youAnonymous
July 09, 2013
Great article, thank you! I've tried all the above with no luck. Also tried installing the hotfix and it says its not applicable to my computer. Anyone have any other ideas as to why I still get "Security Token Service is unavailable" and can't start the Security Token Service? Thank you!Anonymous
August 01, 2013
I think you are running on RTM version of the SP 2010. I have seen this issue getting fixed if you upgrade to SP1...Anonymous
September 16, 2013
I got a completely different problem with security token service, but I tried the powershell trick, and guess what? it worked! Thank you very much. This should be on Microsoft website!Anonymous
October 15, 2013
The presented solutions did not work for me. The services still give a "HTTP Error 503. The service is unavailable." error.Anonymous
November 27, 2013
Security Token Service stopped working as described after a iisreset (one of many, nothing special about this particular one). I tried step 2 but it didn't fix it. Didn't try step 1 at it seems like a long shot (no offense) I sure didn't change the STS web.config, so it was sharepoint itself that corrupted it?Anonymous
February 11, 2014
Manual AAM and IIS binding whereby having multiple hostnames using same protocol can interfer with STS. IE - You have a webapp that has two different hostname whereby you created AAM and IIS binding manually without extending the webapp via SP.Anonymous
February 18, 2014
Thank you very much !!!Anonymous
March 12, 2014
I am having this issue, and this fix has not helped. Any suggestions?Anonymous
April 03, 2014
I'm one of the .01% I guess :(Anonymous
April 10, 2014
I faced this issue on SP 2013 after I did an in-place upgrade from WS2012 to WS2012R2. Re-provisioning did the trick. Thanks!Anonymous
April 11, 2014
Man, you made me look smart!Anonymous
April 18, 2014
Thank you SO much for the script at the end. It fixed my problems with Managed Metadata, UPS, and Token Security Services. You just saved my weekend!Anonymous
April 29, 2014
In addition to the above in SharePoint 2013 to the end of this process, sites generate an access denied message [although we are the site managers], ie the claims-based authentication is lost for sites, for this is necessary to perform the next action for each web application:
1. Opened For SharePoint PowerShell with administrator privileges
2.
$WebAppName = "YouWebApplication"
$wa = get-SPWebApplication $WebAppName
$wa.UseClaimsAuthentication = $true
$wa.Update()
$wa.MigrateUsers($true)
$wa.ProvisionGlobally()
This takes a while, do not worry is normal, remember that you must perform this procedure for each of your web application.Anonymous
June 10, 2014
I am running a SBS2011 Standard server, when I get to the "$h.Provision()" command my server just locks up, how long does it usually take to run that command?Anonymous
June 18, 2014
Really very nice Blog and very helpful :) :)Anonymous
July 04, 2014
Thank you very much for this fix. Worked perfectly!Anonymous
July 05, 2014
one reason of this error can be that session answer came after that message or user token is expired. Why? Messing with the internal clock and changing date beacause you want to extend sharepoint trial period (most probably)Anonymous
July 07, 2014
Thanks - that solved my problemAnonymous
July 08, 2014
Nice and very helpful postAnonymous
July 15, 2014
Did not work for me.
However - simply clicking 'Start' on a few Application Pools (in IIS Manager) did the trick.
(I guess they were stopped in a botched Windows Update, and I was a little too surprised that they were still stopped after a re-boot.)Anonymous
July 28, 2014
Yes, this works, wow, thank you so much!!Anonymous
July 31, 2014
I was told to do this by another SP admin. Neither works because I get stuck at provision an it just hangs but should only take a few minutes.
$services = Get-SPServiceApplication
$services = Get-SPServiceApplication | ?{$_ -match "Security"}
$services.Status
$services.Provision()Anonymous
August 17, 2014
Hi ,
I am getting 500 error for all web app expect central admin and my security token service is working fine.
Thanks.
RohidasAnonymous
August 18, 2014
The comment has been removedAnonymous
September 04, 2014
The comment has been removedAnonymous
September 19, 2014
The comment has been removedAnonymous
September 24, 2014
thanksssssAnonymous
October 28, 2014
Thanks a ton to syed. This blog helped me to resolve the issueAnonymous
November 07, 2014
What is UPPS? How to start.? I m not getting it... Please guide...Anonymous
November 07, 2014
In my case, the application pool was just down. I updated the password of the application pool account and that fixed it.
Thanks for the pointer to the webservice though.Anonymous
November 24, 2014
This fixed a similar condition on our SP 2013 farm. Thanks for posting.Anonymous
December 09, 2014
Below are the output for command-
--------------------------------------------
Access Services 2010
Secure Store Service
PowerPoint Conversion Service Application
State Service
PerformancePoint Service Application
Visio Graphics Service
Managed Metadata Service
Workflow Service Application
App Management Service
Excel Services Application
SecurityTokenServiceApplication
Machine Translation Service
Topology
WSS_UsageApplication
b694fcba-179b-4645-b531-ab5ff197b338
Word Automation Services
MySite
Business Data Connectivity Service
Work Management Service Application
Access Services
Search Service Application
----------------------------------------------
After running above command its still showing "User Profile Sync is not currently provisioned" and following services not started- I checked STS and i am able to browse that and in my case MySite is User Profile
1. User Profile Synchronization Service is in stopped mode
2. Forefront Identity Manager Service is in disable mode
3. Forefront Identity Manager Synchronization Service is in disable modeAnonymous
February 08, 2015
Thanks! after running to ps command I was able to start the STS and resolve the issueAnonymous
March 04, 2015
after running the commands, powershell hangs and does not produce a list of services. Where is the enclosed web.config file you mention in step 1?Anonymous
March 21, 2015
It worked! You're the greatest! Thanks for posting this repair instructions!Anonymous
April 23, 2015
Thank you Syed. Very informative and it fixed our issue alsoAnonymous
May 12, 2015
I am facing the same issue and i have included the IncludeExceptionDetailInFaults after that i am getting the error Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider.I am having Windows Server 2008 R2 SP1 and all the resolutions provided are to uninstall certain KB' s which is not applicable for me.
Please help.Anonymous
May 22, 2015
faadu..Anonymous
August 05, 2015
No luck. After an outage, the STS is broken on both app servers in 2 different farms (same AD).Anonymous
September 08, 2015
Thanks man. This solution saved my life.Anonymous
October 15, 2015
Having had a very similar problem, along with many other associated problems, which put my work at an altogether unacceptable, extended standstill, I decided to post the resolution I found to as many forums relating to this issue that I could.
The resolution that I found was one of two things that I did at the same time. (duh – not a smart tactic, but I was getting desperate…) I am not willing to spend the time to isolate the effects of each of these motions, so it could be one, or the other, or both.
1. I noticed that SharePoint was moving the Farm Account Security Managed Account (The user account that Farm Account uses for credentials) from the Administrators group, to the WSS_ADMIN_WPG group. In my case Central Admin was being run on the same machine as the SharePoint Server. I run a single server developer environment. So the Farm Account needed “Log on Locally” privileges. WSS_ADMIN_WPG group did not appear to have the needed privilege, where the Administrators group did. Strangely enough though, the Administrators group is a member of the WSS_ADMIN_WPG group. So I moved the above mentioned user account back into the Administrators group.
Let me know if I’m not seeing something here….
2. Upon examining the SecurityTokenServiceApplicationPool (the name I gave for the Security Token Service’s Application Pool), I notice that the Enable 32-bit Applications setting under the Advanced Settings had been set to True. This to me was strange as I remembered installing the 64 bit versions of everything, because the Server machine on which I was working was indeed 64 bit. So I set it to False.
After those two simple motions I did all the familiar and necessary things to be done to make sure that the system and SharePoint was running with all the latest settings and tried what I had been doing once again, and to my amazement and shock (after having tried everything on the internet several times each) it worked! I am now happily moving forward in my work! At least until the next roadblock comes along.
Weird, dumb and stupid, what were the chances? Maybe it will be worth a quick look for you.Anonymous
October 21, 2015
It is stuck at $h.provision(), no messages. any idea?Anonymous
December 09, 2015
Hi All,
I have a question : We had our server reboot and DB Deployment(DB Server) and after that the sharepoint application login wasn't working. We checked logs and we were getting error around SecurityToken so we recycled the service and it started working again. (Though in app pool the service was already at started state
I want to know whether server reboot /DB Deployment can be the issue. If yes, what issue it got which got fixed after the service restart.Anonymous
March 19, 2016
Thank you so much..you save our life!!!!Anonymous
March 30, 2016
The comment has been removedAnonymous
March 30, 2016
The comment has been removedAnonymous
May 12, 2016
Thanks a lot for documenting this article brother! Saved our production environment from being rebuilt. It worked like magic :)cheersAnonymous
May 19, 2016
The comment has been removedAnonymous
June 29, 2016
WORKED! Thank you!Anonymous
October 24, 2016
Thanks so much! We hadn't seen this before and Abhishek's solution worked for us! Really appreciate it!Anonymous
March 02, 2017
very helpful, saved lot of time