SharePoint Experts, Information Architects, Expert Witness

SICG provides a broad array of business and technology consulting from architecture to design to deployment of global systems with a focus on surfacing data in the enterprise. We focus on the "How", not just the possible. Contact me direct: or call 704-873-8846 x704.

Search This Blog

Tuesday, June 7, 2016

SharePoint 2016 The Security Token Service is not available

This message may appear in a new SharePoint installation through the Health Analyzer. Bascially it means the STS service isn't running somewhere which is a problem for the entire farm - this can cause a lot of problems, so it's best to address it right away.

First, you'll have to check every server to ensure the service is actually available - this is done through the IIS Manager, that is, Administrative Tools > Internet Information Server (IIS) Manager.

In the IIS manager, expand the server, expand the sites then expand the SharePoint Web Services site to find the SecurityTokenServiceApplication:

Click on the SecurityTokenServiceApplication to select it, make sure you are in Content View (you won't be by default), right click on the securitytoken.svc and select Browse:

If all is good, it should display the service page:

If there is a problem, you will get the generic ASP.NET error page. 

To fix this, first, verify that all of your managed accounts have been added and the service accounts assigned accordingly (i.e. Central Administration > Security then under General Security, Configure managed accounts (to add) and Configure service accounts (to assign)).

Next (a good idea anyway), make sure your database permissions are correct - app pool accounts assigned as WSS_Content_Application_Pools, Farm account has at least SPDataAccess (or DBO if you're not that concerned about it - such as an intranet), etc.

Return to the Health Analyzer and click Reanalyze Now. If the problem doesn’t go away, it may be that one or more of the servers is not available or the SharePoint Timer Service is stopped on one of them.

If that doesn’t work either, open up the SharePoint Management Shell (always using Run as administrator) and run the psconfig command:

psconfig -cmd upgrade -inplace b2b

Do this on every server in the farm – ONE AT A TIME!

Return to the Health Analyzer and click Reanalyze Now and the problem should go away.


mansuri.isteyaq said...

Getting same issue. After following your steps also. Restarted the server after psconfig too. but no results.

mansuri.isteyaq said...

I am getting same error even i went through your steps. still on the same page. pool restart etc already done more over any web application i tried to open gives 500 http error. only CA is working. No other application working.

David M. Sterling said...

Have you checked your permissions on the web applications? Did you set Super User/Super Reader?

David M. Sterling said...

As mentioned in 2016, you should check your permissions (CA > Web Applications > Web Application > User Policy). Make sure you set SuperReader and SuperUser accounts on the web application user policy and via PowerShell (this is 2013 but same applies for 2016).

BTW: If you get locked out after setting Super Reader/Super User, the accounts don't have the permission in the User Policy or the App Pool account doesn't have access to the content database(s).

The internal server error is generally due to a) not having set user policy, b) no access to the site(s) by the Application Pool Account or c) a database error (usually permissions). If none of that helps, look at the accounts running the services (services.msc).