Last week a SharePoint 2010 Server farm I manage stopped working, I could browse the Central Administration site collection but none of the other site collections would load. All of them would trigger a generic SharePoint error dialog and not let you go any further.
Essentially the farm was broken, looking into the problem I found that the Security Token service had stopped and I wasn’t able to get it to start again; when investigating why it wouldn’t start I found thousands of events in the Application event log referring to the Security Token Service throwing an unhandled exception. If your like me; seeing errors like this:
WebHost failed to process a request.Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/17653682
Exception: System.ServiceModel.ServiceActivationException: The service ‘/SecurityTokenServiceApplication/securitytoken.svc’ cannot be activated due to an exception during compilation. The exception message is: Method not found: ‘System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)’.. —> System.MissingMethodException: Method not found: ‘System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)’.
at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.WebConfigurationManagerWrapper.BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List`1 spnList)
You tend to think some code libraries have either gone missing or have changed. Fortunately I found a TechNet blog post on the matter and have to congratulate MS for responding so quickly to the issue. Turns out (which in my case I was under the impression that this server had Service Pack 1 installed, when it didn’t) that if you are running SharePoint Server 2010 on any RTM edition of Windows Server 2008 R2 or Windows 7 build, the Security Update KB2756920 will have applied from Windows update around January 10th 2013 – in this security update Microsoft patch a vulnerability in the .NET Framework 3.5 that does in fact remove some functions from an assembly in the framework that causes the Security Token Service to break. Who would have guessed!! (sarcasm intended).
I read further that this change in KB2756920 only effects pre-SP1 installs of the O.S’s mentioned. Service Pack 1 includes an update that replaces KB2756920 that doesn’t break the Security Token Service that still includes the fix for security vulnerability shipped in the KB2756920 patch. In my case though due to the missing Service Pack and the fact that WSUS wanted to keep deploying KB2756920 each time I mannually removed it, I did need to first apply the SP1 to the server and then the issue was resolved entirely.
- Official blog post on the issue: http://blogs.technet.com/b/steve_chen/archive/2013/01/11/3545423.aspx
- Supporting blog post that gives more detail on the background issue and why it breaks the Security Token Service in SharePoint 2010: http://sharepoint.nauplius.net/2013/01/installing-kb2756920-ms13-004-on-windows-server-2008-r2-rtm-breaks-sharepoint-2010/