SharePoint 2010: Nailing the error "The Security Token Service is unavailable"

http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx

First of all let’s talk about STS (Security Token Service)

• An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design. (refer-http://technet.microsoft.com/en-us/library/ee806864.aspx)

• STS is neither a SharePoint service, nor a window service, but actually a WCF web service

• Many SharePoint Services like User Profile Sync Service, SharePoint Search Service are Claims aware and such SharePoint Services will need STS to be up and running in a stable condition

• Let's take Search as an example: Let's take a case where Query Component is hosted on the App Server and a User hits the WFE and performs a Search. In this case the WFE will communicate with the Query Component on the App Server by making use of its STS to get the Claim, and the same is sent to the App Server. Without STS working, this communication will not be possible.

• Also User Profile Synchronization Service (UPSS) cannot start if the STS is not in a healthy condition

• Not only SharePoint Services, even Web Applications will require STS to be working for the Intra/Inter Farm Authentication.

• The below figure shows that within a SharePoint Farm the Intra/Inter Farm Authentication happens using Claims Authentication, and since it uses Claims Authentication, it is more than required for the STS to be working

I have seen numerous cases where the UPSS fails to start because of the unavailability of the STS. In such cases you can also see following errors logged:

In SharePoint Health Analyzer: "The Security Token Service is unavailable"

In SharePoint ULS logs while starting UPSS, errors like:

• An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error (OR)

• Request for security token failed with exception: System.ServiceModel.ServiceActivationException: The requested service,'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated (OR)

• An exception occurred when trying to issue security token: The requested service,'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas' could not be activated

You may not see all the errors as shown above, I'm just trying to collate the common errors seen while starting UPSS when STS is broken.

To troubleshoot such issues, it will be good to check if we can browse to the STS Web Service page.

To browse you have to go to IIS Manager --> Sites --> SharePoint WebServices --> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse (as shown below)

The expected page to see if STS is working will be as shown below:

As long as you get the above message while browsing, be sure that the STS is working just fine. In cases where STS is broken, you will not be able to browse to the above web service. You will get errors like Server Error in '\' Application, or Internet Explorer cannot display the web page etc.

How to fix STS?

Step One:

Right click on the SecurityTokenServiceApplication and click Explore, copy the web.config and compare the file with the file attached, which is completely out of the box with no modifications. If you find a lot of changes in the web.config file on your Farm with that of mine, replace the file on SecurityTokenServiceApplication(please also have the copy of the original web.config), perform an IIS reset and check if the STS page comes as expected

Step Two:

A BIG Thank You! To Abhishek Saigal (one of the finest resource in SharePoint Admin world) who came up with this fix, which has a success rate of 99.99%

I have tried this fix on numerous User Profile cases where UPSS could never start due to broken STS, and after STS was fixed UPSS started like a charm!

The below PowerShell commands re-provisions all the SharePoint Web Services, and this is one of the safest way to get the STS working.

There is no need to be afraid of losing any data/applications on SharePoint while/after running the below commands

Run the following commands one by one on SharePoint PowerShell:

$h = Get-SPServiceHostconfig

$h.Provision()

$services = Get-SPServiceApplication

foreach ($service in $services) { $service.provision();
write-host $service.name}

The output will look something like shown below:

Perform an IIS Reset and give another shot to browse the STS, and I'm sure you will see positive results!

Once the STS page is accessible successfully, try and start the UPSS one more time and very likely the UPSS will start successfully.

I'll be surprised to see if this fix fails and be more than happy to help you fix it!