SharePoint 2013 user is login, but search fail, return "The security token could not be authenticated or authorized" (Network Steve Forum)

SharePoint 2013 user is login, but search fail, return "The security token could not be authenticated or authorized"

Our environment is on-prem SharePoint 2013 with using SAML Authentication. User is logged in can navigate without any problem but unable to search.

Looking into ULS log we are able to see

ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied. NotOnOrAfter: '8/25/2015 5:17:19 PM' Current time: '8/25/2015 7:46:57 PM'

Time setting on AD, and all SharePoint boxes are correct though. If user clear browser cache everything will resume to normal.

1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	Token Cache: Added token to distributed cache.
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	Token Cache: Successfully added token to cache for 'XXXXXXXXXXXX'.
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	SPTokenCache.ReadTokenXml: Successfully read token XML 'XXXXXXXXXXXX,XXXXXXXXXXXX,130854283401998663,True,FIZuvkjXsE9w4YWIJeQSIOG6VLEZIsJMoQLlks+pZ0aS+9mdGpZMqdzSLYD/FA9ZtZTiqyRUEATyaSIUZh2VT9ribPgMkdb1UVnEpn6dSVyjeaRcNPDw2jKaqhDtaRdCdONg3TOh/xhv5oKDG/tiNgwShAuxeHNkeuzSH5L1UVdjY8n/diP4zqkYnAjaWT5rqDPvwvoxvw927HXhD4xUb8hJ+dcl0ik7oAgXnvI6O1e1rPnJs3378GxBqQ9RqtDVNza1ka6qQCluTaLjB9P/QW5tOMQb+ZeDbWeG9J8E5WOFXHOzDXEuIZAb/5W7itQbm9ps/HN3uTB22JNLFhhrtQ==,https://xxxxxxxxxxxxxxxxxxx.com/'.
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	SPChunkedCookieHandler: Writing secure cookie(s) with name 'FedAuth', path '/', domain '' for request 'https://xxxxxxxxxxxxxxxxxxx.com/apps/empreco/_layouts/15/osssearchresults.aspx?u=https://xxxxxxxxxxxxxxxxxxx.com/apps/empreco&k=michael', {ExpirationTime '8/30/2015 5:46:57 PM',PersistentSessionLifetime '5.00:00:00',CookieHandler.PersistentSessionLifetime '5.00:00:00',CookieLieftime '5.00:00:00'}.
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input xxxxxxxxxxxxxxxxxxx
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	Found valid trusted provider. Provider: 'xxxxxxxxxxxxxxxxxxx'
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	Claim provider does not support user keys. Claim Provider: 'LDAPCP'
1:46:58 PM	w3wp.exe (0x1D30)	Claims Authentication	STS Call: Issuing new security token.
1:46:58 PM	w3wp.exe (0x1D30)	Claims Authentication	STS Call: Failed to issue new security token. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied. NotOnOrAfter: '8/25/2015 5:17:19 PM' Current time: '8/25/2015 5:46:57 PM'     at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)     at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)     at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)     at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPRequestInfoType overrideRequestType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request, Boolean initializeForActor)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)     at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)
1:46:58 PM	w3wp.exe (0x095C)	Claims Authentication	An exception occurred when trying to issue security token: ID3242: The security token could not be authenticated or authorized..

Edited by Tak Wan 12 hours 1 minutes ago

August 25th, 2015 3:38pm

Hi Tak,

This error happens when the clock on the ADFS server and the clock on SharePoint server are not synchronized.

To fix this go onto each server and restart the "Windows Time" service. Then open a command prompt and type w32tm /resync.

More information:

http://www.richardawilson.com/2012/02/adfs-20-id4332-samlsecuritytoken-is.html

A similar post for your reference:

http://www.sharepointpals.com/post/ID4223-The-SamlSecurityToken-is-rejected-because-the-SamlAssertionNotOnOrAfter-Condition-is-not-satisfied-SharePoint-2013-with-ADFS

Thanks,

Wendy

Free Windows Admin Tool Kit Click here and download it now

August 26th, 2015 2:35am

This topic is archived. No further replies will be accepted.