none
Sharepoint 2016 - Claim Authentication error event ID 8306

    Question

  • hi i am a fairly new SharePoint admin who took over an on premise single server SharePoint 2016 farm running on server 2012 r2 datacenter. the event viewer is flooded with claims authentication errors event ID 8306 An exception occurred when trying to issue security token ID3242: the security token could not be authenticated or authorized. Everything is working on the farm even with all the errors. i checked the logs and found the following "The X.509 certificate CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US is not in the trusted people store." i launched MMC with the certificates snap-in and the SharePoint Security Token Service certificate is in the SharePoint store not the Trusted People as the error specifies. Can i just copy and paste the certificate from SharePoint to Trusted People or is there a proper way to place a certificate in the correct store? also, can a certificate reside in two stores? i really do not have any experience with certificates. any help would be appreciated...thank you
    Wednesday, December 20, 2017 6:14 PM

All replies

  • Hi ian6868,

    To troubleshoot the issue, check things below:

    1. Check if the STS Web Service page can be browsed.

    Go to IIS Manager -> Sites -> SharePoint WebServices -> SecurityTokenServiceApplication, click on 'Content View' down at the bottom, right click on Securitytoken.svc and click Browse.

    2. Check if the application pool “SecureTokenServiceApplicationPool” is started in IIS manager.

    3. Check if you have added certificates to trusted certificates list in central administration. If not, you could export the root of the certificate chain (the root certificateauthorities certificate), then copy it to the Central Admin server and import it into Central Administration’s Trust Relationships store.

    Go to the Central Administration->Security->Manage Trust-> Click on the New menu item-> Specify a name for the trust relationship->Select the SSL certificate you exported previously->IISReset.

    More reference:

    Unable to Activate Security Token Service Application - Event ID 8306.

    https://support.microsoft.com/en-sg/help/2520344/unable-to-activate-security-token-service-application---event-id-8306

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, December 21, 2017 3:06 AM
    Moderator
  • Thank you for the reply. I had previously tested up to number 2 i think successfully. Are you able to verify if the screenshot below is the correct screen when browsing the security token service? if the screenshot is correct, for step 3, process would be export the SharePoint Security Token Service certificate from the MMC and import in central admin? Are there any problems I should look for after importing a certificate in central admin? By placing the certificate in central admin does that put the certificate in the trusted people store as the error mentioned? Sorry for all the questions this is not something I have not done before. thanks again for the reply.... ian

    SecurityTokenService

    Thursday, December 21, 2017 1:50 PM
  • Hi ian6868,

    The screenshot in your post is correct screen when browsing the security token service.

    Yes, export the SharePoint Security Token Service certificate from the MMC and import in central admin.

    Then there is no problem after importing a certificate in central admin.

    Placing the certificate in central admin is the troubleshooting step to resolve the issue.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 22, 2017 8:51 AM
    Moderator
  • Hi ian6868,

    How is everything going?

    Is there anything update about this issue?

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 25, 2017 1:25 AM
    Moderator
  • hi Sara, sorry I was off work for the holiday but am back now and will be testing shortly. Update to follow...
    Tuesday, December 26, 2017 12:10 PM
  • I exported the certificate leaving everything on default, imported to central admin leaving everything on default, did iisreset and still have the same issue. Please see screenshots below and let me know if I should change anything. If no changes are needed here, is there any issue with importing directly to the trusted people store?

    Step 1 export

    Export1

    Step 2 export

    Export2

    after that step I named the file and saved, then imported as shown next

    Import Step

    Import

    Thank you,

    Ian

    Tuesday, December 26, 2017 12:38 PM
  • Another update...after attempting what I previously mentioned I tried importing the SharePoint Security Token Service certificate directly into the Trusted People store. Doing this broke all permissions to the site. I removed the certificate from Central admin and trusted people and the site is working again for all users except mine. I have permissions assigned to all users via AD groups inside of SharePoint groups. Those permissions no longer apply to my regular user account. I have to add my user specifically to the SharePoint groups now. My admin account still works as expected. I am hoping this does not happen to all users after the next full sync or crawl. Am not sure what to do at this point, I still have the same error in the event viewer that I originally posted.


    • Edited by ian6868 Tuesday, December 26, 2017 2:51 PM
    Tuesday, December 26, 2017 2:50 PM
  • Hi ian6868,

    It is very happy that your site is working.

    Thank you for your sharing and it will help others have the same issue.

    To troubleshoot the issue error ID 8306, you could check things below:

    1. Check if the “User Profile Service” is started in manage services on server in central administration.

    2. Re-provision the security token service by PowerShell command.

    $sts=Get-SPServiceApplication | ?{$_ -match “Security”}
    
    $sts.Status
    
    $sts.Provision()
    

    3. Run the SharePoint 2016 products configuration wizards.

    And you could consider rebuilding the SharePoint farm.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, December 29, 2017 2:00 AM
    Moderator
  • Hi ian6868,

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 03, 2018 9:13 AM
    Moderator
  • Hi Sara,

    sorry for the delayed response. with the holidays passing its been hard to keep up with everything.

    The user profile service is up an running. I will test re-provisioning the security token service as soon as I have a chance and will let you  know. I hope I will not have to rebuild the farm.

    thank you

    ian

    Tuesday, January 09, 2018 6:15 PM
  • Hi ian6868,

    How is everything going?

    Is there anything update about this issue?

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 15, 2018 1:39 AM
    Moderator