Cannot login with FBA and AD LDS: The security token username and password could not be validated

I configured FBA and AD LDS in SharePoint 2010 and was able to grant permissions to AD LDS users in SharePoint. I however could not login with these users. The ULS shows multiple errors similar to below:

An exception occurred when trying to issue security token: The security token username and password could not be validated..

and

SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).

It turns out that it was because the STS did not have read access to the AD LDS user store. On my dev machine the STS is running under LocalSystem as shown below.

In AD LDS, by default there are three roles, Administrators, Readers and Users, as shown below.

Adding the STS app pool account to the Administrators or Readers role fixed the issue.

Another issue that could cause login to fail is that the user account is disabled. In AD LDS the user account is disabled by default when you create them. I have written about this here.

About Bernado

Based in Australia, I am a freelance SharePoint and Dynamics CRM developer. I love developing innovative solutions that address business and everyday problems. Feel free to contact me if you think I can help you with your SharePoint or CRM implementation.

View all posts by Bernado →

One Response to Cannot login with FBA and AD LDS: The security token username and password could not be validated

Pingback: The security token username and password could not be validated. | Cao Quoc Hung