The security token service should definitely have a web.config – I’ve never seen it without one. It’s the security token service configuration that is used during login, so if that’s not configured correctly that will be causing your issues. You should be able to use IIS Providers screen for the security token service to see if the membership providers are showing as configured there.

Hi Chris,
Thank you very much for your fast replies.
I have indeed configured both servers with the same configurations, going through this article. so both had the same configurations. however, I found the issue which seems to be strange to me.

I did the following:
1- Open IIS Manager.
2- Clicked on securityTokenServiceApplication -> features View -> Connection Strings.
3- Here I noticed that I have different Connection strings that are pointing to different server, once I fixed it everything worked fine.

I checked the web.config again and found that the connection strings have been added there.

Thank you so much for your time and effort.

My guess is that something is configured differently in web1 than web2. Have you checked to make sure all of the .config file changes are the same? Are you sure that the connection string properly connects to the sql server from web1? Shouldn’t be, but is it possible that the app pool account is different between the two servers and only the web2 account has permissions to the fba database?

Another possibility is if you are using the encrypted password format instead of hashed (you should use hashed). The encrypted password format requires the same machine key values set on all servers.

I tried to turn off the WEB1 IIS and everything worked fine. but still I need both of them the stay up.

any thoughts?

Yeah, it should be fine in a multi server environment, as long as all the machine.config files and securetokenservice web.configs are all configured the same.

Thank you for quick reply.

Yes, I have made changes to SecureTokenService web.config as mentioned.
When I do the FBA configuration on my dev box with is single server environment it works just fine. The only difference on the staging environment is its multiple server architecture. I will double check my web.config though.

Here are few errors I find in ULS log.
SPSecurityContext: Request for security token failed with exception. Exception: ‘System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)’.

SetupUserValidationType: Password not set. Defaulting to sign-in operation. Username:

An exception occurred when trying to issue security token: The security token username and password could not be validated..

You don’t need to make the machine.config change on SQL Server, only on SharePoint servers.

As for the error, did you make the SecureTokenService web.config changes? If so, I think there’s some differences in the membership settings in that web.config and the machine.config.

I have a multiple server environment with 1 WEF, 1 APP, and 1 Sql server. As you mention in the blog we need to change the machine.config on all the environment. Is this applicable to sql server environment also?

When i try to login with FBA users i get below errors in ULS log though i used the hashed passwordFormat

STS Call: Failed to issue new security token. Exception: ‘System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).’.

Please advice
Regards

Hi Steve,

The tutorial still works, the only thing that has really changed is that to use it in Chrome you need to be accessing the site via https/ssl. But nothing to do with the above error.

That error just means that the FBA Pack can’t access the database specified in the config file/FBA Setup. I’d say 90% of the time it is due to a permissions issue. The database requests happen as the SharePoint app pool user, and that user doesn’t have permission to the DB. There’s information in Part 1 about assigning the proper permissions to the DB.