Security Token Service is not available

Question

After converting a Web Application from Classic mode to Claims Based using Powershell I can no longer access my Web Applications.

When turnign off custom errors and setting Call Stack to true. I see the below error message:

The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.

Looking into Central Admin I see an error for the Security Token Service. The Security Token Service is not available. Explanation:

The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.

If I look in the App Event Logs I see:

An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error..

I have applied the WCF Hotfix and restrated the server. What is causing this issue?

I am using SharePoint Foundation 2010

Any assistance is greatly needed!

Answer 1

Hi,

When you access  http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc do you get any errors?

Did you try this hotfix?

A hotfix for the.NET Framework 3.5 Service Pack 1 is available  for Windows Server 2008 R2 as a prerequisite for Microsoft Office SharePoint Server 2010

http://code.msdn.microsoft.com/KB976462/Release/ProjectReleases.aspx?ReleaseId=4317

Answer 2

Yes I have installed that Hotfix. I confirmed it by trying to reinstall and the message says the Hotfix is already installed.

Here is the message I get when I navigate to the url above

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Answer 3

I enabled IncludeExceptionDetailInFaults on the ServieToken web.config file (<serviceDebug includeExceptionDetailInFaults="true" />
) within the <behavior> tag and received this error

The service encountered an error.

An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.InvalidOperationException: An exception was thrown in a call to a policy export extension.
Extension: System.ServiceModel.Channels.TransportSecurityBindingElement
Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
  at System.ServiceModel.Channels.TransportSecurityBindingElement.System.ServiceModel.Description.IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
  at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
  --- End of inner ExceptionDetail stack trace ---
  at System.ServiceModel.Description.ServiceMetadataBehavior.MetadataExtensionInitializer.GenerateMetadata()
  at System.ServiceModel.Description.ServiceMetadataExtension.EnsureInitialized()
  at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.InitializationData.InitializeFrom(ServiceMetadataExtension extension)
  at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.GetInitData()
  at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.TryHandleDocumentationRequest(Message httpGetRequest, String[] queries, Message& replyMessage)
  at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.ProcessHttpRequest(Message httpGetRequest)
  at SyncInvokeGet(Object , Object[] , Object[] )
  at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
  at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
  at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
  at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)
  at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

 

 

 

Answer 4

Robert,

Did you ever figure out why you were getting the error "The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error."?

Answer 5

I figured out that it has something to do with the STS config file and not being able to issue tokens.

As far as the solution I am still troubleshooting with Microsoft on the issue. Wish I had the solution because the project is on hold until I get a resolution for this. The last conversation I had with Microsoft is that they thought it was permission related, but have checked all the permissions that I know about.

There are several other postings in regards to this error so we are not alone.

I can get STS to issue tokens on my local machine, but the environment I have issues with is SharePoint Foundation 2010 is in the DMZ and the Database server is in an Internal Domain. Can't imagine Microsoft would release it without it being able to work in DMZ on a Virtual environment. That would just be unacceptable!

Answer 6

Just wanted to tell you, that I have the exact same error. I'm also using SharePoint Foundation 2010.

Looking forward to hear what's causing the error. If I find the solution I will post it.

Answer 7

I too have the same problem, any response from Microsoft as yet?

Answer 8

I had the same problem and I got it fixed.

In the log file I found this lines
---------------------------------------------------
The extended protection settings configured on IIS do not match the settings configured on the transport.  See inner exception for details.. ---> System.NotSupportedException: The extended protection settings configured on IIS do not match the settings configured on the transport.  See inner exception for details. ---> System.InvalidOperationException: The ExtendedProtectionPolicy.PolicyEnforcement values do not match.  One policy has a value of WhenSupported, while the other has a value of Never.  These values must match exactly.
---------------------------------------------------

It was from the IIS configuration

In IIS manager > SharePoint Web Services (Site) > Authentication > Windows Authentication > Advanced Settings > Extended Protection turn it off and check enable kernel-mode authentication

do iisreset

now the SecurityTokenService are working fine

Answer 9

I was finally able to resolve the Security Token Service not being available issue. The resolution was in IIS Authentication for the SecurityTokenServiceApplication. Within the list of the different authentications available both Windows Authentication and Forms Authentication were marked as Enabled. Once I disabled Forms Authentication did an IISReset and then ran the Health Analyzer the warning went away. I tested by creating a Web Application using Claims Authentication and was able to successfully login to the website with no errors. Yippee!!!! Finally!!! Hope this helps others.

Answer 10

I got this issue and it appears that this is related to the authentication mode set on one of the binding of the STS. Go to the STS web.config and alter the authentication mode of the spStsActAsBinding from SspiNegotiatedOverTransport to IssuedToken.

Answer 11

Thank you Tarroud, i was able to resolve the same issue changing the authentication mode but 
it would be great to understand what is behind the SspiNegotiatedOverTransport.