Farm is down after setting Token-Timeout property to ZERO...HELP!

Question

I was having issues with the Profile Sync service and user credentials.  After some research I found that setting the Token-Timeout to something small would fix the issue.  Unfortunately, I thought changing it to 0 would help.  This has made my entire farm inaccessible.  I used stsadm -o setproperty -propertyname Token-Timeout -propertyvalue 0

When I use the GetProperty command, it now returns the value of 0, but when I try to run the set property command again, I get the following error:

The context has expired and can no longer be used. (Exception from HRESULT: 0x80090317)

I get the same error when trying to access any of my sharepoint sites.

I'm running SharePoint 2010 (not Foundation) on a Windows 2008 R2 server.

I've been trying to search for answers on this for hours.  Any help would be greatly appreciated.  I can't believe that Microsoft would allow a value of 0 if it crashes the entire farm and cannot be fixed.

PLEASE HELP!

Thanks,

Ryan

Answer 1

You could try the powershell version.  A Qucik google search yield the following commands.

Get-SPSecurityTokenServiceConfig

Set-SPSecurityTokenServiceConfig -WindowsTokenLifetime 5

Parameter FormsTokenLifetime specifies in minutes
the length of time the security token for a forms based authentication user will
remain active.

WindowsTokenLifetime performs a similar job for
windows authentication users.

Sourced from: http://mackenzie-sharepoint.blogspot.com/2011/06/powershell-security-token-timeout.html

Note:  This is something that you should try in development first.  As you know you are playing with some relatively sensitive parts of the system back end.

---

Willner001

Answer 2

Thanks for the response!  When I run the Get-SPSecurityTokenServiceConfig, it returns all of the config info.  The WindowsTokenLifetime is already set to 10 hours, so I don't think this is the same as the token-timeout property.

Answer 3

"When I use the GetProperty command, it now returns the value of 0, but when I try to run the set property command again, I get the following error"

What command are you talking about exactly?

---

Willner001

Answer 4

Oh, and you can't get to Central Admin, even on the server itself via \\localhost correct?

---

Willner001

Answer 5

No, I can access Central Admin.  From what I've read, the command I ran only affects the ContentService and not the AdminService.

Strangely, I can access all of the MySites pages, which is a separate web application, and I also have access to a second web application that is set up to host password reset web parts.  However, the two main web applications are inaccessible and are giving me the error I mentioned above.

I can also still access document libraries through mapped drives.

Answer 6

I don't fully understand what the token-timeout property does, so I'm taking some shots in the dark...

Central Admin -> Manage Web Applications [choose one] -> General settings -> General Settings -> Web Page Security Validation -> Set to Off

Restart IIS (just because)

And try to go in.  Any luck there?

---

Willner001

Answer 7

"When I use the GetProperty command, it now returns the value of 0, but when I try to run the set property command again, I get the following error"

What command are you talking about exactly?

---

Willner001

This one: 

stsadm -o getproperty -propertyname token-timeout

stsadm -o setproperty -propertyname token-timeout -propertyvalue 1440

1440 is the default.

Answer 8

Nope, no luck.  I've opened a support ticket with Microsoft.  Usually I can find answer to my problems by searching the internet, but I haven't found anything on this after hours of searching. 

Answer 9

Good luck then.

---

Willner001

Answer 10

In case you were interesed in the outcome, after 4+ hours on the phone with Microsoft support, my sites are back up and running.  The only solution was to create a new config database, recreate the wb applications and then connect the content databases to them.  Luckily, the only things I had to reconfigure were the search service application and the user profile service.  I don't know why Microsoft would allow someone to set the property to 0 when it wreaks this kind of havoc.

Answer 11

Thanks for posting the solution.

---

Willner001