SPSolutionExport Exception SecurityTokenService.Issue()
In trying to save a site using the Site Settings -> Save as Template, I received the following error:
When visiting the service directly I recieved the following message:
3 Steps were needed to resolve the issue:
Step 1. Ensure that SecurityTokenService is responding to requests on all SharePoint farm servers, then go to IIS manager and edit the SecurityTokenService web.config by replacing it with the content below:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<!-- Behavior List: -->
<behaviors>
<serviceBehaviors>
<behavior name="SecurityTokenServiceBehavior">
<!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
This configuration enables publishing of such data over HTTP GET.
This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
-->
<serviceMetadata httpGetEnabled="true" />
<!-- Default WCF throttling limits are too low -->
<serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
<serviceDebug includeExceptionDetailInFaults="True" httpHelpPageEnabled="True" />
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Service List: -->
<services>
<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="SecurityTokenServiceBehavior">
<!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default
standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
<endpoint address="" binding="customBinding" bindingConfiguration="spStsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<!-- This is the HTTP endpoint that supports clients requesting service tokens. -->
<endpoint name="ActAs" address="actas" binding="customBinding" bindingConfiguration="spStsActAsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<!-- This is the HTTP endpoint that supports IMetadataExchange. -->
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
<endpoint address="" binding="customBinding" bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding" contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
</service>
</services>
<!-- Binding List: -->
<bindings>
<customBinding>
<binding name="spStsBinding">
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="spStsActAsBinding">
<security authenticationMode="SspiNegotiatedOverTransport" allowInsecureTransport="true" defaultAlgorithmSuite="Basic256Sha256" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="SPWindowsTokenCacheServiceHttpsBinding">
<security authenticationMode="IssuedTokenOverTransport" />
<textMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</textMessageEncoding>
<httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
<modules>
<add name="WindowsAuthenticationModule" />
</modules>
</system.webServer>
<system.net>
<connectionManagement>
<add address="*" maxconnection="10000" />
</connectionManagement>
</system.net>
<system.web>
<identity impersonate="false" />
</system.web>
</configuration>
Once the changes are complete
Step 2:
On all IIS servers ensure that under Web Services root => IIS - Authentication => only Windows and Anonymous authentication are "Enabled". Then progress down to the SecureTokenService virtual directory and ensure the same. This had forms authentication enabled on only one of my farm servers.
Step 3:
Delete and reprovision the UserProfileService. You may notice when you delete it, you can already access the sites again. This is because the user profile service was failing to communicate with the SecureTokenService on the app server.
Step 4:
Test this by building a new web application and site collection. Ensuring that no existing content is responsible for the failure to save template.
Note: In my situation I found the content type hub was also responsible publishing broken content types for which the "Save as Template" command could not save.
11/15/2012 15:57:26.84 w3wp.exe (0x1A64) 0x1944 SharePoint Foundation General c42u Monitorable SPSolutionExporter: System.InvalidOperationException: The Writer is closed or in error state. at System.Xml.XmlWellFormedWriter.AdvanceState(Token token) at System.Xml.XmlWellFormedWriter.WriteEndElement() at Microsoft.SharePoint.ScopedXmlWriterElement.Closer(XmlWriter writer, ScopedObjectUsage`1 wrapper) at Microsoft.SharePoint.ScopedObjectUsage`1.Dispose(Boolean isDisposing) at Microsoft.SharePoint.ScopedObjectUsage`1.Dispose() at Microsoft.SharePoint.SPSolutionExporter.ExportContentTypes(SPContentTypeCollection contentTypes, String partitionName) at Microsoft.SharePoint.SPSolutionExporter.ExportLists() at Microsoft.SharePoint.SPSolutionExporter.GenerateSolutionFiles() at Microsoft.SharePoint.SPSolutionExporter.ExportWebAsSolution() 2cf55a43-6bc9-47cb-82a2-27fbd38d452bIn addition it appeared that the SecurityTokenService was also throwing exceptions issueing tokens.
11/15/2012 15:57:26.86 w3wp.exe (0x1A64) 0x1944 SharePoint Foundation Runtime tkau Unexpected System.InvalidOperationException: Error generating solution files in temporary directory. at Microsoft.SharePoint.SPSolutionExporter.ExportWebAsSolution() at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent, String workflowTemplateName, String destinationListUrl) at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent) at Microsoft.SharePoint.ApplicationPages.SaveAsTemplatePage.BtnSaveAsTemplate_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.Rai... 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
11/15/2012 15:57:26.86* w3wp.exe (0x1A64) 0x1944 SharePoint Foundation Runtime tkau Unexpected ...sePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
11/15/2012 15:57:26.87 w3wp.exe (0x1A64) 0x1944 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (Request (POST:https://workflow-int.curtin.edu.au:443/sites/test/_layouts/savetmpl.aspx)). Execution Time=5500.39376512937 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
When visiting the service directly I recieved the following message:
The service encountered an error.An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.InvalidOperationException: An exception was thrown in a call to a policy export extension. Extension: System.ServiceModel.Channels.TransportSecurityBindingElement Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. at System.ServiceModel.Channels.TransportSecurityBindingElement.System.ServiceModel.Description.IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext) at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint) --- End of inner ExceptionDetail stack trace ---
3 Steps were needed to resolve the issue:
Step 1. Ensure that SecurityTokenService is responding to requests on all SharePoint farm servers, then go to IIS manager and edit the SecurityTokenService web.config by replacing it with the content below:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<!-- Behavior List: -->
<behaviors>
<serviceBehaviors>
<behavior name="SecurityTokenServiceBehavior">
<!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
This configuration enables publishing of such data over HTTP GET.
This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
-->
<serviceMetadata httpGetEnabled="true" />
<!-- Default WCF throttling limits are too low -->
<serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
<serviceDebug includeExceptionDetailInFaults="True" httpHelpPageEnabled="True" />
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Service List: -->
<services>
<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="SecurityTokenServiceBehavior">
<!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default
standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
<endpoint address="" binding="customBinding" bindingConfiguration="spStsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<!-- This is the HTTP endpoint that supports clients requesting service tokens. -->
<endpoint name="ActAs" address="actas" binding="customBinding" bindingConfiguration="spStsActAsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<!-- This is the HTTP endpoint that supports IMetadataExchange. -->
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
<endpoint address="" binding="customBinding" bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding" contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
</service>
</services>
<!-- Binding List: -->
<bindings>
<customBinding>
<binding name="spStsBinding">
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="spStsActAsBinding">
<security authenticationMode="SspiNegotiatedOverTransport" allowInsecureTransport="true" defaultAlgorithmSuite="Basic256Sha256" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="SPWindowsTokenCacheServiceHttpsBinding">
<security authenticationMode="IssuedTokenOverTransport" />
<textMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</textMessageEncoding>
<httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
<modules>
<add name="WindowsAuthenticationModule" />
</modules>
</system.webServer>
<system.net>
<connectionManagement>
<add address="*" maxconnection="10000" />
</connectionManagement>
</system.net>
<system.web>
<identity impersonate="false" />
</system.web>
</configuration>
Once the changes are complete
Step 2:
On all IIS servers ensure that under Web Services root => IIS - Authentication => only Windows and Anonymous authentication are "Enabled". Then progress down to the SecureTokenService virtual directory and ensure the same. This had forms authentication enabled on only one of my farm servers.
Step 3:
Delete and reprovision the UserProfileService. You may notice when you delete it, you can already access the sites again. This is because the user profile service was failing to communicate with the SecureTokenService on the app server.
Step 4:
Test this by building a new web application and site collection. Ensuring that no existing content is responsible for the failure to save template.
Note: In my situation I found the content type hub was also responsible publishing broken content types for which the "Save as Template" command could not save.
Comments
Post a Comment