Symptoms
Consider the following scenario:
-
You have a Microsoft SharePoint Server 2013 site collection that is configured to use Security Assertions Markup Language (SAML) claims authentication.
-
Users are actively using the site collection.
-
You change the Security Token Service (STS) certificate.
Note See how to replace the STS certificate for the on-premises environment.
In this situation, all users currently signed in to the SharePoint Server 2013 site collection will be redirected to authenticate. Additionally, when users try to sign in to the site collection, they receive an error message that resembles the following:
An error occurred. Contact your administrator for more information.
Activity ID: 00000000-0000-0000-0d00-0080000000e1
Relying party: RelyingParty2013
Error time: Mon, 13 Oct 2014 14:58:28 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Cause
This issue occurs because the authentication token is not automatically cleared out, and the STS can no longer read the token to make sure that it is within its validity period.
Resolution
To resolve this issue, you can clear the cookies in Internet Explorer. To do this, in the Internet Options dialog box, click Delete, select the Cookies and website data check box, and then click Delete.
More Information
In SharePoint ULS logs, you receive the following error message:
10/06/2014 17:30:44.40 w3wp.exe (0x0EC0) 0x1624 SharePoint Foundation Claims Authentication ad5sl Unexpected Failed to validate signature. 0ca3bf9c-5b4b-c077-8bc4-e01fcbaf1e55