Forms based authentication(FBA) can have general bucket errors. In this blog post, I will be going over the 8306. This one seems to stump many people and can be difficult to trouble shoot if we don’t know where to start.
What flavor of FBA?
FBA can come in various deployments with the backend being SQL, .NET, etc. The most common being LDAP which I will be using in this post for the 8306. The deployment documents for this is in the following TechNet articles.
2013 – https://technet.microsoft.com/en-us/library/ee806890.aspx
2010 – https://technet.microsoft.com/en-us/library/ee806890(v=office.14).aspx
What Process is tossing 8306?
The error that we’re chasing down can be reproduced in any environment with FBA. The text of the error states we have failed to issue a token.
|
Log Name: Application |
|
Source: Microsoft-SharePoint Products-SharePoint Foundation |
|
Date: 12/23/2017 3:00:50 PM |
|
Event ID: 8306 |
|
Task Category: Claims Authentication |
|
Level: Error |
|
Keywords: |
|
User: contoso\mosssvc |
|
Computer: WFE1.contoso.com |
|
Description: |
|
An exception occurred when trying to issue security token: The security token username and password could not be validated.. |
This is being tossed by the web application’s application pool(0x2AD0) but really it’s bubbling up from the Security Token Service.
ULS logs shows us the exception for the web app:
Here you can see the failure happen earlier in the request(filter by correlationID) in the STS:
With this information we need to take a Network trace from the WFE since it’s making the request to the DC(Domain Controller). I use a tool called Netmon 3.4 We can check the web.config of the STS to see where we are pointing to verifying the username and password.
|
<membership> <providers> <add name=”membership” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”
port=”389″ useSSL=”false” userDNAttribute=”distinguishedName” userNameAttribute=”sAMAccountName” userContainer=”OU=UserAccounts,DC=internal,DC=yourcompany,DC=com” userObjectClass=”person” userFilter=”(&(ObjectClass=person))” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” /> </providers> </membership> |
LDAP is used over ports 386 and 636(SSL). Netmon has standard filters that can be applied.
Netmon on the WFE:
The Netmon here show that we’re not getting any response from the DC which is one example of this error. Others may manifest itself as different issues all together.
Root Cause?
The ULS logs usually just says it failed while trying to validate the Username and Password.
12/23/2017 16:09:35.77 w3wp.exe (0x5A80) 0x92C0 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.). 7580399e-8900-708b-67e2-ab7bcf6013a3
Here are the most common reasons you’ll see 8306 in your FBA deployment:
- Somebody put in the wrong username and password
- Communication with the DC(in my example above I had a firewall block LDAP traffic)
- Misconfiguration of the web.configs
The first reason is odd one, but it’s true. Putting in incorrect credentials will toss a 8306 with the same text as above (The user name and password is not validated.). If you’re seeing inconsistent results, you might have a DC that isn’t responding correctly which the Netmon will be valuable to isolate the issue to one WFE or DC that is affected.