Monday, April 8, 2013

Security Token Service Access Denied

Error message from ULS:

An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs..
SPSecurityTokenService.Issue() failed: System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Exists(String path) at Microsoft.SharePoint.Administration.SPMetabaseObject.get_Exists() at Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager.<>c__DisplayClass8.b__6() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.b__2() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) at Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager.EnsureSharePointLogonRequestClaims(Claim logonIdentityClaim, SPClaim& sharePointIdentityClaim) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo info, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

Resolution:

Reprovision the Secure Store Service.  In this specific situation simply adding the proper permissions to the database for the Secure Store Service account fixed the issue.  If you are not a DBA you could reprovision the Secure Store Service through Powershell by using the following commands and this would effectively do the same thing.

PS C:\> $mysts = Get-SPServiceApplication | ?{$_ -match "Security Token Service"}
PS C:\> $mysts
 DisplayName TypeName Id
----------- -------- --
Security Token Se... Security Token Se...
 PS C:\> $mysts.StatusOnline
PS C:\> $mysts.Provision()
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)