Wednesday, November 21, 2012

SPSolutionExport Exception SecurityTokenService.Issue()

In trying to save a site using the Site Settings -> Save as Template, I received the following error:

11/15/2012 15:57:26.84  w3wp.exe (0x1A64)                        0x1944 SharePoint Foundation          General                        c42u Monitorable SPSolutionExporter: System.InvalidOperationException: The Writer is closed or in error state.     at System.Xml.XmlWellFormedWriter.AdvanceState(Token token)     at System.Xml.XmlWellFormedWriter.WriteEndElement()     at Microsoft.SharePoint.ScopedXmlWriterElement.Closer(XmlWriter writer, ScopedObjectUsage`1 wrapper)     at Microsoft.SharePoint.ScopedObjectUsage`1.Dispose(Boolean isDisposing)     at Microsoft.SharePoint.ScopedObjectUsage`1.Dispose()     at Microsoft.SharePoint.SPSolutionExporter.ExportContentTypes(SPContentTypeCollection contentTypes, String partitionName)     at Microsoft.SharePoint.SPSolutionExporter.ExportLists()     at Microsoft.SharePoint.SPSolutionExporter.GenerateSolutionFiles()     at Microsoft.SharePoint.SPSolutionExporter.ExportWebAsSolution() 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
11/15/2012 15:57:26.86  w3wp.exe (0x1A64)                        0x1944 SharePoint Foundation          Runtime                        tkau Unexpected System.InvalidOperationException: Error generating solution files in temporary directory.    at Microsoft.SharePoint.SPSolutionExporter.ExportWebAsSolution()     at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent, String workflowTemplateName, String destinationListUrl)     at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent)     at Microsoft.SharePoint.ApplicationPages.SaveAsTemplatePage.BtnSaveAsTemplate_Click(Object sender, EventArgs e)     at System.Web.UI.WebControls.Button.OnClick(EventArgs e)     at System.Web.UI.WebControls.Button.Rai... 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
11/15/2012 15:57:26.86* w3wp.exe (0x1A64)                        0x1944 SharePoint Foundation          Runtime                        tkau Unexpected ...sePostBackEvent(String eventArgument)     at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
11/15/2012 15:57:26.87  w3wp.exe (0x1A64)                        0x1944 SharePoint Foundation          Monitoring                     b4ly High     Leaving Monitored Scope (Request (POST:https://workflow-int.curtin.edu.au:443/sites/test/_layouts/savetmpl.aspx)). Execution Time=5500.39376512937 2cf55a43-6bc9-47cb-82a2-27fbd38d452b
In addition it appeared that the SecurityTokenService was also throwing exceptions issueing tokens.

When visiting the service directly I recieved the following message:
The service encountered an error.
An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.InvalidOperationException: An exception was thrown in a call to a policy export extension.
Extension: System.ServiceModel.Channels.TransportSecurityBindingElement
Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
   at System.ServiceModel.Channels.TransportSecurityBindingElement.System.ServiceModel.Description.IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
   at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
   --- End of inner ExceptionDetail stack trace ---

3 Steps were needed to resolve the issue:

Step 1. Ensure that SecurityTokenService is responding to requests on all SharePoint farm servers, then go to IIS manager and edit the SecurityTokenService web.config by replacing it with the content below:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <!-- Behavior List: -->
    <behaviors>
      <serviceBehaviors>
        <behavior name="SecurityTokenServiceBehavior">
          <!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
               This configuration enables publishing of such data over HTTP GET.
               This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
          -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- Default WCF throttling limits are too low -->
          <serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
  <serviceDebug includeExceptionDetailInFaults="True" httpHelpPageEnabled="True" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <!-- Service List: -->
    <services>
      <service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="SecurityTokenServiceBehavior">
        <!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default
             standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
        <endpoint address="" binding="customBinding" bindingConfiguration="spStsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
        <!-- This is the HTTP endpoint that supports clients requesting service tokens. -->
        <endpoint name="ActAs" address="actas" binding="customBinding" bindingConfiguration="spStsActAsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
        <!-- This is the HTTP endpoint that supports IMetadataExchange. -->
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
      <service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
        <endpoint address="" binding="customBinding" bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding" contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
      </service>
    </services>
    <!-- Binding List: -->
    <bindings>
      <customBinding>
        <binding name="spStsBinding">
          <binaryMessageEncoding>
            <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
          </binaryMessageEncoding>
          <httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
        </binding>
        <binding name="spStsActAsBinding">
          <security authenticationMode="SspiNegotiatedOverTransport" allowInsecureTransport="true" defaultAlgorithmSuite="Basic256Sha256" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
          <binaryMessageEncoding>
            <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
          </binaryMessageEncoding>
          <httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
        </binding>
        <binding name="SPWindowsTokenCacheServiceHttpsBinding">
          <security authenticationMode="IssuedTokenOverTransport" />
          <textMessageEncoding>
            <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
          </textMessageEncoding>
          <httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
        </binding>
      </customBinding>
    </bindings>
  </system.serviceModel>
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="true" />
        <windowsAuthentication enabled="true">
          <providers>
            <clear />
            <add value="Negotiate" />
            <add value="NTLM" />
          </providers>
        </windowsAuthentication>
      </authentication>
    </security>
    <modules>
      <add name="WindowsAuthenticationModule" />
    </modules>
  </system.webServer>
  <system.net>
    <connectionManagement>
      <add address="*" maxconnection="10000" />
    </connectionManagement>
  </system.net>
    <system.web>
        <identity impersonate="false" />
    </system.web>
</configuration>

Once the changes are complete


Step 2:

On all IIS servers ensure that under Web Services root => IIS - Authentication => only Windows and Anonymous authentication are "Enabled". Then progress down to the SecureTokenService virtual directory and ensure the same. This had forms authentication enabled on only one of my farm servers.

Step 3:

Delete and reprovision the UserProfileService. You may notice when you delete it, you can already access the sites again. This is because the user profile service was failing to communicate with the SecureTokenService on the app server.

Step 4:

Test this by building a new web application and site collection. Ensuring that no existing content is responsible for the failure to save template.

Note: In my situation I found the content type hub was also responsible publishing broken content types for which the "Save as Template" command could not save.
 

1 comment:

  1. woow ! Very interesting post I like your website keep up the great posts
    Marketing Term Papers Help Online

    ReplyDelete