question

DeRadaSancibrianJavier-5583 avatar image
0 Votes"
DeRadaSancibrianJavier-5583 asked ·

Sharepoint 2013 / error 8306

We began to see this error in our SP 2013 farm a few days ago.
No configuration changes have been made in the farm or Active Directory.

Event 8306:
An exception occurred when trying to issue security token: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'..

Steps taken without success:
1. Restart SecurityToken app pool in IIS in all farm servers

  1. We ran this but it failed:
    $hostSvc = Get-SPServiceHostconfig
    $hostSvc.Provision()
    $SecToken=Get-SPServiceApplication | where { $_.TypeName -Like “Security Token*”}
    $SecToken.provision()

  2. SecurityToken URL loads successfully:
    http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc

  3. .NET trust level for the secure token service is set to "Full" in IIS


So it seems the SecurityToken service is up, but for some reason is unable to issue tokens.
Please provide some guidance on this.
Thank you in advance!

office-sharepoint-server-administration
· 4
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is your Web Application configured to use Kerberos? Is it completely non-functional for end users, or are you just seeing this message in the event viewer?

0 Votes 0 ·

Hi @trevorseward, I'm not skilled in Sharepoint but I'll try to respond as best as I can:
- All sites in IIS have Windows Authentication: HTTP 401 Challenge
- In Central Admin / Application Management / Authentication providers: all apps have NTLM configured

Right now the sites seem to work but the error can still be seen in Central Admin / health analyzer as "The security Token service is not available". Next to it all FOUR APP servers appear. So there are two servers (frontend servers) that do not seem to be affected.


0 Votes 0 ·

Please check if there are more error messages in ULS logs.

0 Votes 0 ·

In the ULS logs, I just can see this error (ONLY in APP servers, not in WFE machines):

OWSTIMER.EXE (0x2E08) 0x2104 SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'..

0 Votes 0 ·
JosephGaul-6269 avatar image
0 Votes"
JosephGaul-6269 answered ·

what do you mean by SP 2013 farm

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SharePoint 2013 farm

0 Votes 0 ·
ElsieLu-MSFT avatar image
0 Votes"
ElsieLu-MSFT answered ·

Hi @DeRadaSancibrianJavier-5583 ,

Per my undersatnding, here is a checklist:

1.Check whether all servers can SecurityToken URL loads successfully.

2.Check whether the Identity of the Security Token Service application affected is the same as that of the normal server. If it is not the same, change it to the correct Identity. And restart to make sure the information is correct.
80133-4.jpg

3.Use this script to detect some services that interact with the Security Token Service.

 Add-PSSnapin *sharepoint*
 $farm = [Microsoft.SharePoint.Administration.SPFarm]::Local 
 $webServiceCollection = new-object Microsoft.SharePoint.Administration.SPWebServiceCollection($farm) 
 foreach ($service in $webServiceCollection) 
 { foreach ($webApp in $service.WebApplications) 
 { $firstWebApp = $webApp
 #Get the context 
 $context = $firstWebApp.GetResponseUri([Microsoft.SharePoint.Administration.SPUrlZone]::Default) 
 Write-Host "Web Application Context:" $context.AbsoluteUri 
 #Call the token generator function 
 $token = [Microsoft.SharePoint.SPSecurityContext]::SecurityTokenForContext($context) 
 Write-Host "Token:" $token.InternalTokenReference 
 Write-Host "**************************" } }

Under normal circumstances, there should be no issue after running:

79590-3.jpg



You could refer to this post for more information:
SharePoint: Troubleshooting the Security Token Service

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



3.jpg (104.0 KiB)
4.jpg (95.8 KiB)
· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DeRadaSancibrianJavier-5583 ,

Have you tried my suggestion? Are there any updates?

Thanks,
Elsie Lu

0 Votes 0 ·

Hi @ElsieLu-MSFT sorry we haven't been able to try your suggestions. As soon as we get a maintenance window I'll try them and I'll let you know.

0 Votes 0 ·
ElsieLu-MSFT avatar image ElsieLu-MSFT DeRadaSancibrianJavier-5583 ·

Looking forward to your reply. Hope it goes well.

0 Votes 0 ·