SPTrustedIdentityTokenIssuer URI invalid

By | 2015-10-06

This week a problem occured on our SharePoint environment due to human error, but with unexpected SharePoint behavior driving the cause and troubling the solution.
Somehow it is possible to update the SPTrustedIdentityTokenIssuer property ProviderSignoutUri with an invalid value, and all subsequent repair actions will fail, as well as many SPTimerjobs. All give the same error “Invalid URI: The format of the URI could not be determined”.


The SPTrustedIdentityTokenIssuer cannot be deleted or altered (while it’s in use), the WebApplications cannot be altered or updated (and they use the SPTrustedIdentityTokenIssuer), the timerjob RefreshCache fails everytime, even solutions cannot be installed or uninstalled.

We found out that, although the .Update() action triggered an exception, the attribute does get changed in the database. When displaying the properties of the SPTrustedIdentityTokenIssuer however, the attribute seemed empty. This made us go on a wild-goose chase, until we checked everything again and determined that the problem didn’t pre-exist and it had to be related to the SPTrustedIdentityTokenIssuer object.
So I dug a little deeper and decided to look in the SharePoint config database:

In the resulting row, the properties column contains a large XML with all configuration related to your TrustedIdentityTokenIssuer.

Here we found out that the attribute “ProviderSignoutUri” was populated with a value, the human error had somehow appeared in the SharePoint Configuration Database, although it wasn’t visible with the Powershell command Get-SPTrustedIdentityTokenIssuer, it appeared empty! This left us with no other choice than to change the value with SQL (UNSUPPORTED). Make a back-up of your database before you attempt this fix. Make sure you copy the whole XML to your UPDATE statement and only change the row with the Id of the TrustedIdentityTokenIssuer!


When the SQL UPDATE statement has been executed, update the object from Powershell commandline without any alteration and you are good to go again.

So, SharePoint allows us to change the attribute to an invalid value, gives us an exception about it, but changes it in it’s SharePoint Configuration Database, and furthermore wont show the actual value and won’t let us change anything related to it. Don’t want anyone to have to go through all this.





For future reference, here are some details of the exceptions and the logfiles.

The ULS logfile entries of the first occurrence and the resulting timerjob failure:

One thought on “SPTrustedIdentityTokenIssuer URI invalid

Leave a Reply

Your email address will not be published. Required fields are marked *