Symptoms
Consider the following scenario:
-
You have a Microsoft SharePoint Server site collection that is configured to use Security Assertions Markup Language (SAML) claims authentication.
-
Users are actively using the site collection.
-
You change the Security Token Service (STS) certificate.
In this situation, all users currently signed in to the SharePoint Server site collection are redirected to authenticate. Additionally, when users try to sign in to the site collection, they receive an error message that resembles the following:
An error occurred. Contact your administrator for more information.
Activity ID: 00000000-0000-0000-0d00-0080000000e1
Relying party: RelyingParty2013
Error time: Mon, 13 Oct 2014 14:58:28 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
In the SharePoint ULS logs, you see the following error message:
<mm/dd/yyyy> <hh:min:sec.msec> w3wp.exe (0x0EC0) 0x1624 SharePoint Foundation Claims Authentication ad5sl Unexpected Failed to validate signature. 0ca3bf9c-5b4b-c077-8bc4-e01fcbaf1e55
Cause
This issue occurs because the authentication token is not automatically cleared out, and the STS can no longer read the token to make sure that it is within its validity period.
Resolution
To resolve this issue, you must clear the cookies in your browser.Â
For example, in Microsoft Edge, navigate to Settings > Privacy search, and services, and for the Clear browsing data now option in the Delete browsing data section, select the Choose what to clear button. Select the Cookies and other site data option, change the Time range setting to All time, and then select the Clear now button.
