SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

  • Comments 45
  • Likes

 

First of all let’s talk about STS (Security Token Service)

 

  • An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. (refer- http://technet.microsoft.com/en-us/library/ee806864.aspx)

 

  • STS is neither a SharePoint service, nor a window service, but actually a WCF web service

 

  • Many SharePoint Services like User Profile Sync Service, SharePoint Search Service are Claims aware and such SharePoint Services will need STS to be up and running in a stable condition

 

  • Let's take Search as an example: Let's take a case where Query Component is hosted on the App Server and a User hits the WFE and performs a Search. In this case the WFE will communicate with the Query Component on the App Server by making use of its STS to get the Claim, and the same is sent to the App Server. Without STS working, this communication will not be possible.

 

  • Also User Profile Synchronization Service (UPSS) cannot start if the STS is not in a healthy condition

 

  • Not only SharePoint Services, even Web Applications will require STS to be working for the Intra/Inter Farm Authentication.

 

  • The below figure shows that within a SharePoint Farm the Intra/Inter Farm Authentication happens using Claims Authentication, and since it uses Claims Authentication, it is more than required for the STS to be working

 

 

I have seen numerous cases where the UPSS fails to start because of the unavailability of the STS. In such cases you can also see following errors logged: 

 

In SharePoint Health Analyzer: "The Security Token Service is unavailable" 

 

In SharePoint ULS logs while starting UPSS, errors like: 

 

  • An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error (OR)

 

 

 

 

You may not see all the errors as shown above, I'm just trying to collate the common errors seen while starting UPSS when STS is broken. 

 

To troubleshoot such issues, it will be good to check if we can browse to the STS Web Service page. 

 

To browse you have to go to IIS Manager --> Sites --> SharePoint WebServices --> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse (as shown below)

  

 

 

The expected page to see if STS is working will be as shown below:

 

 

As long as you get the above message while browsing, be sure that the STS is working just fine. In cases where STS is broken, you will not be able to browse to the above web service. You will get errors like Server Error in '\' Application, or Internet Explorer cannot display the web page etc.

 

How to fix STS?

 

Step One:

 

Right click on the SecurityTokenServiceApplication and click Explore, copy the web.config and compare the file with the file attached, which is completely out of the box with no modifications. If you find a lot of changes in the web.config file on your Farm with that of mine, replace the file on SecurityTokenServiceApplication(please also have the copy of the original web.config), perform an IIS reset and check if the STS page comes as expected

 

Step Two:

 

A BIG Thank You! To Abhishek Saigal (one of the finest resource in SharePoint Admin world) who came up with this fix, which has a success rate of 99.99%

 

I have tried this fix on numerous User Profile cases where UPSS could never start due to broken STS, and after STS was fixed UPSS started like a charm!

 

The below PowerShell commands re-provisions all the SharePoint Web Services, and this is one of the safest way to get the STS working.

There is no need to be afraid of losing any data/applications on SharePoint while/after running the below commands

 

Run the following commands one by one on SharePoint PowerShell:

 

$h = Get-SPServiceHostconfig

 

$h.Provision()

 

$services = Get-SPServiceApplication

 

foreach ($service in $services) { $service.provision();
write-host $service.name}

 

The output will look something like shown below:

 

 

 

Perform an IIS Reset and give another shot to browse the STS, and I'm sure you will see positive results!

 

Once the STS page is accessible successfully, try and start the UPSS one more time and very likely the UPSS will start successfully.

 

I'll be surprised to see if this fix fails and be more than happy to help you fix it!

Attachment: web.config
Comments
  • Thanks Syed... This worked for me, saved my Day!!!

  • Thank you so much !

  • Thanks a Ton..!

    This article helped me to resolve Search and UPA both.  

  • No joy.

    Made no difference. STS is unavailable.

    I just scaled the farm from two tier (1 SP2010 and 1 SQL Server) to 3 tier (2 WFE and 2 app servers).

  • If the Powershell commands in step two come back with "The Term (whatever) is not recognized as the name of a...bla bla bla." then type “Get-PSSnapin -Registered” (in powershell) first...and it should work...at least it did for me.

  • It is also of note that this solution worked for me and I have access to all my share point sites again. I owe you a beer Syed. Many thanks.

  • Didnt help me. I accidently extended a web app over the Sharepoint Web Services web app. Now everything has gone kaboom! The error that is being thrown is An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. I followed all your steps but no joy! :(

  • Update for folks who see something like this today... could be related to KB275629 -- www.tylercranston.com/.../kb2756920-causes-problems-with.html

  • Syed,

    Are you still checking this blog entry? I've encountered an issue with the script provided above and wouldn't mind some assistance.

    Many thanks

  • Thanks Razmus, that is the error we get after the windows patching!!

  • This did not work for me in my windows 7 dev environment, but I found the issue uninstalling a windows update like this... social.technet.microsoft.com/.../b5f18b40-348d-4a27-908f-1822dba67c73

  • This worked very well for me.  I had been chasing this issue for months related to MMS and UPS, although it did not surface in exactly the same way.  All I could see in the ULS log was "access denied".  I then tried to apply the WCF hot fix KB76462, but it would not install on Windows Server 2008 R2 and I gave up and went down a few more rabbit holes.  Finally, after creating a fresh environment, I was still unable to access the MMS and UPS.  Checking the ULS log again, I saw the STS error and found this article.  Uninstalling KB2756920 fixed it immediately.  Many thanks.

  • Thanks. The given solution is worked for me,

  • The reprovisioning of the Security Token Service did not solve my problem. Great article though.

  • i had the same probleme in SP2013 => resolved , you saved my life Thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment