Symptoms

Consider the following scenario:

  • You have a Microsoft SharePoint Server 2013 site collection that is configured to use Security Assertions Markup Language (SAML) claims authentication.

  • Users are actively using the site collection.

  • You change the Security Token Service (STS) certificate.

    Note See how to replace the STS certificate for the on-premises environment.

In this situation, all users currently signed in to the SharePoint Server 2013 site collection will be redirected to authenticate. Additionally, when users try to sign in to the site collection, they receive an error message that resembles the following:

An error occurred. Contact your administrator for more information.

Activity ID: 00000000-0000-0000-0d00-0080000000e1

Relying party: RelyingParty2013

Error time: Mon, 13 Oct 2014 14:58:28 GMT

Cookie: enabled

User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)

Cause

This issue occurs because the authentication token is not automatically cleared out, and the STS can no longer read the token to make sure that it is within its validity period.

Resolution

To resolve this issue, you can clear the cookies in Internet Explorer. To do this, in the Internet Options dialog box, click Delete, select the Cookies and website data check box, and then click Delete.

More Information

In SharePoint ULS logs, you receive the following error message:

10/06/2014 17:30:44.40 w3wp.exe (0x0EC0) 0x1624 SharePoint Foundation Claims Authentication ad5sl Unexpected Failed to validate signature. 0ca3bf9c-5b4b-c077-8bc4-e01fcbaf1e55

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×