Forms based authentication(FBA) can have general bucket errors. In this blog post, I will be going over the 8306. This one seems to stump many people and can be difficult to trouble shoot if we don’t know where to start.
- Dec 31, 2018 In SharePoint 2010, 2013, 2016, etc, the Security Token Service (STS) is a web service hosted under the “SharePoint Web Services” IIS site on HTTP port 32843 and HTTPS port 32844, in a virtual directory called SecurityTokenServiceApplication. In SharePoint 2010, it contains 2 web services.
- When to re-provision the Security Token Service Application in SharePoint. And Creating SharePoint Service Applications for SharePoint 2010 or SharePoint 2013.
FBA can come in various deployments with the backend being SQL, .NET, etc. The most common being LDAP which I will be using in this post for the 8306. The deployment documents for this is in the following TechNet articles.
2013 – https://technet.microsoft.com/en-us/library/ee806890.aspx
2010 – https://technet.microsoft.com/en-us/library/ee806890(v=office.14).aspx
The error that we’re chasing down can be reproduced in any environment with FBA. The text of the error states we have failed to issue a token.
Log Name: Application |
Source: Microsoft-SharePoint Products-SharePoint Foundation |
Date: 12/23/2017 3:00:50 PM |
Event ID: 8306 |
Task Category: Claims Authentication |
Level: Error |
Keywords: |
User: contosomosssvc |
Computer: WFE1.contoso.com |
Description: |
An exception occurred when trying to issue security token: The security token username and password could not be validated. |
This is being tossed by the web application’s application pool(0x2AD0) but really it’s bubbling up from the Security Token Service.
ULS logs shows us the exception for the web app:
Go to IIS Manager Expand Connection list Application Pools and check if SharePoint Central Administration Application Pool and Security Token Service Application Pool are started. Select “SecureTokenServiceApplicationPool” under SharePoint Web Services and then double click “.NET Trust Levels” under Features View.
Here you can see the failure happen earlier in the request(filter by correlationID) in the STS:
With this information we need to take a Network trace from the WFE since it’s making the request to the DC(Domain Controller). I use a tool called Netmon 3.4 We can check the web.config of the STS to see where we are pointing to verifying the username and password.
<membership> <providers> <add name=”membership” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”
port=”389″ useSSL=”false” userDNAttribute=”distinguishedName” userNameAttribute=”sAMAccountName” userContainer=”OU=UserAccounts,DC=internal,DC=yourcompany,DC=com” userObjectClass=”person” userFilter=”(&(ObjectClass=person))” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” /> </providers> </membership> |
LDAP is used over ports 386 and 636(SSL). Netmon has standard filters that can be applied.
Sharepoint Security Token Service Web.config
Netmon on the WFE:
The Netmon here show that we’re not getting any response from the DC which is one example of this error. Others may manifest itself as different issues all together.
Easeus data recovery 10.2 keygen.
The ULS logs usually just says it failed while trying to validate the Username and Password.
Computer Security Token
12/23/2017 16:09:35.77 w3wp.exe (0x5A80) 0x92C0 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.). 7580399e-8900-708b-67e2-ab7bcf6013a3
Sharepoint Security Token Service Timeout
Here are the most common reasons you’ll see 8306 in your FBA deployment:
Sharepoint Security Token Service
- Somebody put in the wrong username and password
- Communication with the DC(in my example above I had a firewall block LDAP traffic)
- Misconfiguration of the web.configs
The first reason is odd one, but it’s true. Putting in incorrect credentials will toss a 8306 with the same text as above (The user name and password is not validated.). If you’re seeing inconsistent results, you might have a DC that isn’t responding correctly which the Netmon will be valuable to isolate the issue to one WFE or DC that is affected.