Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-12-13) Your Claims Based Sharepoint Site Throws “SecurityTokenHandler Is Not Registered To Read Security Token”

Posted by Jorge on 2015-12-13


You have a claims based sharepoint site that is connected to your federation system (ADFS v3.0 or higher). When you navigate to the sharepoint site, you get the following error. This does assume you have configured the WEB.CONFIG of the sharepoint site with CustomErrors=Off

image

Figure 1: Error “A SecurityTokenHandler Is Not Registered To Read Security Token” In The Browser When CustomErrors Is Set To Off

If you do not get the error message above because the WEB.CONFIG of the sharepoint site is configured with CustomErrors=On, and you look in the Application Event Log and see the following Event ID

image

Figure 2: Error “A SecurityTokenHandler Is Not Registered To Read Security Token” In The Application Event Log

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11-Dec-2015 20:10:20
Event time (UTC): 11-Dec-2015 19:10:20
Event ID: 64406daa97dd490587551a7e16ad4a9b
Event sequence: 274
Event occurrence: 2
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1518143395/ROOT-2-130943174825892689
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\448\
    Machine name: R1FSMBSV2
 
Process information:
    Process ID: 3640
    Process name: w3wp.exe
    Account name: IAMTEC\SVC_R1_WebAppClaims
 
Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4014: A SecurityTokenHandler is not registered to read security token (‘BinarySecurityToken’, ‘
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’).
   at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL:
https://claims.iamtec.net:448/_trust/
    Request path: /_trust/
    User host address: 10.1.1.1
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: IAMTEC\SVC_R1_WebAppClaims
 
Thread information:
    Thread ID: 10
    Thread account name: IAMTEC\SVC_R1_WebAppClaims
    Is impersonating: False
    Stack trace:    at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

Within ADFS execute:

Get-AdfsRelyingPartyTrust "<The Name Of The RP Trust Representing Your Sharepoint Application>"

Check the value of the EnableJWT property. If it is set to True, then that could be the issue.

image

Figure 3: The Properties Of The ADFS Relying Party Trust Representing The Sharepoint Application

Within ADFS execute:

Set-AdfsRelyingPartyTrust -TargetName "<The Name Of The RP Trust Representing Your Sharepoint Application>" -EnableJWT $false

Now try to access your Sharepoint application. If the use of JWT tokens was the issue, the error should not appear and you should be able to access your Sharepoint site.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2015-12-13) Your Claims Based Sharepoint Site Throws “SecurityTokenHandler Is Not Registered To Read Security Token””

  1. clarky said

    So we were seeing this issue and for us, comparing a working UAT and broken PROD site we discovered that an encryption certificate was causing our issue. We removed that and it solved the issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: