Skip to content

An exception occurred when trying to issue security token.

While working on SharePoint 2016 farm all of sudden all sites started showing

500 Internal server error
Central administration is up and browse able

Found these events in event viewer.

Event ID 8306
An exception occurred when trying to issue security token: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details..

Event ID 6398
The Execute method of job definition Microsoft.Office.Server.UserProfiles.FeedCacheRepopulationJob (ID 1c18cf8a-b009-48e2-9416-df30adec5c82) threw an exception. More information is included below.

There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. (Correlation=82f1189e-55aa-8091-537f-c3f819a775ec)

Confirmation: 

Ok. Both the events are complaining about Security Token Service Application and provide a correlation ID in Event ID 6398. That was helpful.

If click on the link http://localhost:32843/Security……………… mentioned in the event viewer, it shows page cannot be displayed, that was good enough to confirm Security Token Service Application is not responding.

Did an IISReset, check if all services are up, SQL is good, reboot machine but no luck.

Solution:

Script below solve the problem.
$hostSvc = Get-SPServiceHostconfig
$hostSvc.Provision()
$SecToken=Get-SPServiceApplication | where { $_.TypeName -Like “Security Token*”}
$SecToken.provision()
You can restart IIS ( IISReset.exe) or use the below PS to restart single IIS Site.
Stop-Website “SharePoint Web Services”
Start-Website “SharePoint Web Services”

Check out Technet Article for further trouble shooting is issue is not resolved.
https://support.microsoft.com/en-in/help/2493524/sharepoint-2010-receiving-error-security-token-service-is-not-availabl

Advertisements

Update a web application URL and IIS bindings for SharePoint

 Update a web application URL and IIS bindings for SharePoint 

A quick Google search gave me this but below is just another way to make it easier using power shell with less clicking. This applies to SharePoint 2010, 2013 and 2016.  

https://technet.microsoft.com/en-us/library/cc262366.aspx  

Scenario:

Let’s say you created a web application http://danger for your users and they are working on it and site is live, all good. One fine morning site owner decided this name is not good and want to change the URL to something else like http://ranger

You can change URL from Central Administration and in case you don’t want to click too much you can use the 4 liner PowerShell at the end of this write.

Using Central Administration:  

Extend the web application to a zone that is not used yet. Let’s say “Custom” zone. 

You can enter any host header value for example “tempsite” as this will be temporary extension of web app with any port number, we will get rid of this zone once done.  

Once web application is extended, you can confirm that by going to Alternate Access Mapping page, you will see a new mapping http://tempsite in zone you used while extending.

Go back to Manage Web Application page high light web application http://danger by clicking on it and click on tiny drop down on the Delete button in the ribbon. Select “Remove SharePoint from IIS Web Site”, Select zone from the drop down with unwanted URL in this case its “danger”, check box for delete IIS web site and click ok.  

So far, we have removed the unwanted URL and move everything over to a new URL called tempsite. Go back and extend the web application again and this time enter the correct URL http://ranger , port 80 and make sure you select Default zone from the drop down. Hit ok. Once done check your site with new URL, in this case http://ranger .  

You can remove the custom Zone URL as mentioned earlier using “Remove SharePoint from IIS Site” option.

Using Power Shell

Add-PSSnapin Microsoft.sharepoint.powershell 
$Auth=New-SPAuthenticationProvider
Get-SPWebApplication -Identity http://danger | New-SPWebApplicationExtension -Name TempSite -Zone Custom -Port 80 -HostHeader TempSite -Url http://tempsite -AuthenticationMethod NTLM -AuthenticationProvider $Auth 

Get-SPWebApplication -Identity http://danger | Remove-SPWebApplication -Zone Default -DeleteIISSite -Confirm:$false  

Get-SPWebApplication -Identity http://danger | New-SPWebApplicationExtension -Name Ranger -Zone Default -Port 80 -HostHeader sandy -Url http://ranger -AuthenticationMethod NTLM -AuthenticationProvider $Auth -Confirm:$false 

Get-SPWebApplication -Identity http://ranger
| Remove-SPWebApplication -Zone Custom -DeleteIISSite -Confirm:$false

Change the parameters as per your requirements. If you want you can add “sleep –seconds 5” after each command for IIS web site to be crated on each server, but it all depends how big environment is. 

Update Web Application Name 

Above command will update the URL but notice web application name is still the same “SharePoint –Danger”. To change Web Application name, use the following script.

$WApp= Get-SPWebApplication -Identity http://ranger  
$WApp.Name=”SharePoint – Ranger” 
$WApp.Update() 

Get-SPWebApplication 

 HTH

Check if Kerberos is working in SharePoint

Purpose of this article is to share information from a fully functional Kerberos for quick reference when verifying after Kerberos setup.

I am not covering the steps for how to configure Kerberos, there is lot if information on how to do this online.

Some handy commands:

KLIST

KLIST Tickets–>Lists the currently cached tickets of services that you have authenticated to since logon.

KLIST Sessions–>Display the information for all logon sessions on this computer.

KLIST Purge–>To delete a specific ticket or all tickets.

You can use Network monitor, IE developer’s tool, HTTP watch or Fiddler to confirm.

I used Fiddler to capture traffic for the SharePoint site and below is a comparison of Headers, Auth and RAW tabs to confirm if Kerberos is functional vs NTLM.

Kerberos Header Tab

NTLM Header Tab

Kerberos Auth Tab

NTLM Auth Tab

Kerberos Raw Tab

NTLM Raw Tab

Event ID 4624 on WFE

Event ID 4648 on client machine

Event ID 4624 on client machine