Share via

SharePoint 2016 – SecurityTokenServiceApplication (securitytoken.svc) Service Activation Failure

Md. Pepul Ahammade 0 Reputation points
2026-03-30T03:34:56.5433333+00:00

Hi,

I am experiencing an issue after the certificate expired and a new certificate was installed.

SharePoint web applications are inaccessible due to failure of the Security Token Service (STS). Error shown on browser: "Server Error in '/' Application. The requested service, http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc could not be activated." Authentication fails and users cannot access any SharePoint site. The issue appears to be related to SecurityTokenServiceApplication

System.ServiceModel.ServiceActivationException: The requested service 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' could not be activated.

User's image

show in browser:
User's image

Microsoft 365 and Office | SharePoint Server | For business
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 14,685 Reputation points Microsoft External Staff Moderator
    2026-03-30T04:30:50.78+00:00

    Hi @Md. Pepul Ahammade 

    Thank you for posting your question in the Microsoft Q&A forum 

    Based on your description and the error message: "Server Error in '/' Application. The requested service, http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc could not be activated.", this issue is related to the Security Token Service (STS) certificate update not being successfully applied across all servers in the SharePoint farm.  

    When the STS certificate expires and is replaced, the update must be synchronized to every server in the farm. If one or more servers fail to receive the update, authentication will break and SharePoint sites will become inaccessible, which matches the behavior you are experiencing.  

    Additionally, the PowerShell message: “The timer job completed, but failed on one or more machines in the farm” confirms that the certificate deployment did not complete successfully across the environment.  

    To resolve this, please check the following:  

    1.Verify certificate installation on all SharePoint servers 

    -The new STS certificate including its private key must be present in the Local Computer > Personal (My) certificate store.

    -Confirm this on every server in the farm. 

    2.Re-run the STS certificate update command 

    -Please refer to the following Microsoft documentation: Replace the STS certificate for SharePoint Server - SharePoint Server | Microsoft Learn

    -Ensure the update completes successfully on all servers, then restart IIS and the SharePoint Timer Service.

    I hope this helps. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

  2. Q&A Assist
    2026-03-30T03:35:15.69+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use the following steps to restore the Security Token Service (STS) after the certificate change.

    1. Verify the STS application pool
      1. On a server that has SharePoint 2016, open Server ManagerToolsInternet Information Services (IIS) Manager.
      2. In Connections, select Application Pools.
      3. Locate SecurityTokenServiceApplicationPool.
        • If the pool is Stopped, start it.
        • If it is already started, stop it and then start it again to restart the pool.
    2. Confirm STS trust level in IIS
      1. In IIS Manager, expand Sites → the SharePoint web site that hosts STS, and select the SecureTokenServiceApplication application.
      2. In Features View, open .NET Trust Levels.
      3. Ensure the trust level is set to Full. If not, change it to Full and apply.
    3. Check for STS certificate issues
      1. Open Event ViewerWindows LogsApplication on each SharePoint server.
      2. Look for Event ID 8311 from source SharePoint Foundation, category Topology, with NotTimeValid in the message.
      3. If present, the STS certificate is expired or invalid and must be replaced.
    4. Replace or update the STS certificate (if Event ID 8311 or other STS‑certificate errors are present)
      • Follow the documented procedure to replace the STS certificate for SharePoint Server and ensure the new certificate is correctly registered with STS on all farm servers.
      • After replacement, run the STS timer job (or wait for it to complete) and then recycle IIS (iisreset) during a maintenance window.
    5. Validate custom claims provider assemblies (if used)
      • If a custom claims provider is deployed, check ULS and event logs for messages about missing assemblies.
      • Install any missing assemblies into the Global Assembly Cache (GAC) on all SharePoint servers, then recycle IIS.
    6. Re‑test access
      • Browse to a SharePoint web application.
      • Authentication should now succeed and the securitytoken.svc endpoint should activate without the ServiceActivationException.

    If the timer job that applies the new STS certificate reports that it failed on one or more machines, repeat the certificate replacement steps and ensure all SharePoint servers are online and can access the certificate store while the job runs.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.