SharePoint - FBA - 8306 - The security token username and password could not be validated.

Forms based authentication(FBA) can have general bucket errors. In this blog post, I will be going over the 8306. This one seems to stump many people and can be difficult to trouble shoot if we don't know where to start.

 

What flavor of FBA?

FBA can come in various deployments with the backend being SQL, .NET, etc. The most common being LDAP which I will be using in this post for the 8306. The deployment documents for this is in the following TechNet articles.

2013 - https://technet.microsoft.com/en-us/library/ee806890.aspx

2010 - https://technet.microsoft.com/en-us/library/ee806890(v=office.14).aspx

 

What Process is tossing 8306?

The error that we're chasing down can be reproduced in any environment with FBA. The text of the error states we have failed to issue a token.

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Date: 12/23/2017 3:00:50 PM

Event ID: 8306

Task Category: Claims Authentication

Level: Error

Keywords:

User: contoso\mosssvc

Computer: WFE1.contoso.com

Description:

An exception occurred when trying to issue security token: The security token username and password could not be validated..

This is being tossed by the web application's application pool(0x2AD0) but really it's bubbling up from the Security Token Service.

ULS logs shows us the exception for the web app:

Here you can see the failure happen earlier in the request(filter by correlationID) in the STS:

With this information we need to take a Network trace from the WFE since it's making the request to the DC(Domain Controller). I use a tool called Netmon 3.4 We can check the web.config of the STS to see where we are pointing to verifying the username and password.

<membership>

<providers>

<add name="membership"

type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

server="yourserver.com"

port="389"

useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="sAMAccountName"

userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com"

userObjectClass="person"

userFilter="(&amp;(ObjectClass=person))"

scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

LDAP is used over ports 386 and 636(SSL). Netmon has standard filters that can be applied.

Netmon on the WFE:

The Netmon here show that we're not getting any response from the DC which is one example of this error. Others may manifest itself as different issues all together.

Root Cause?

The ULS logs usually just says it failed while trying to validate the Username and Password.

12/23/2017 16:09:35.77    w3wp.exe (0x5A80)    0x92C0    SharePoint Foundation    Claims Authentication    fo1t    Monitorable    STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).    7580399e-8900-708b-67e2-ab7bcf6013a3

Here are the most common reasons you'll see 8306 in your FBA deployment:

  1. Somebody put in the wrong username and password
  2. Communication with the DC(in my example above I had a firewall block LDAP traffic)
  3. Misconfiguration of the web.configs

The first reason is odd one, but it's true. Putting in incorrect credentials will toss a 8306 with the same text as above (The user name and password is not validated.). If you're seeing inconsistent results, you might have a DC that isn't responding correctly which the Netmon will be valuable to isolate the issue to one WFE or DC that is affected.