I configured FBA and AD LDS in SharePoint 2010 and was able to grant permissions to AD LDS users in SharePoint. I however could not login with these users. The ULS shows multiple errors similar to below:
An exception occurred when trying to issue security token: The security token username and password could not be validated..
and
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
It turns out that it was because the STS did not have read access to the AD LDS user store. On my dev machine the STS is running under LocalSystem as shown below.
In AD LDS, by default there are three roles, Administrators, Readers and Users, as shown below.
Adding the STS app pool account to the Administrators or Readers role fixed the issue.
Another issue that could cause login to fail is that the user account is disabled. In AD LDS the user account is disabled by default when you create them. I have written about this here.
Pingback: The security token username and password could not be validated. | Cao Quoc Hung