SharePoint Installation Claims Error: Failed to create instance of cookie value handler type / handler object

I got this error while installing SharePoint 2013 with AutoSPInstaller.

STS Call Claims Windows: Failed to get cookie value handler type / object

Opening the logs I saw following error messages:


This error was also caused when I tried to use Get-SPSite -Limit All

As the error says that it is a claims problem I first checked the SharePoint Security Token Service but the web service was fine. When I browse the web service, the page is rendered without errors:


After:
  • Check if Windows Web Services Pool has started
  • Check if "Claims To Windows Token Service" has started
  • Check if IIS checkbox "enable for 32bit Applications" is checked
  • Provisioning the Security Service again
  • Check if the "Claims To Windows Token Service" is running under Localsystem account
  • Check if in IIS > Windows Authentication "Enable Kernel Mode Authetication" is enabled
  • And Reinstalling SharePoint
I got still the same error.

Then I decided to debug the code and searched after the error message and found out the the error is thrown when an instance of the SPSessionSecurityTokenCookieValue object is made.

When you look at the constructor of this object:



the error is created from one of this calls. I opened a Powershell command and typed:

System.Security.Cryptography.HashAlgorithm]::Create("SHA256")

The result end in an error with something containing FIPS. And here It made click.

We had a GPO enabled, that only FIPS compliant algorithms for encryption should be used. Disable this policy and reboot to solve the problem


Following policies should be also checked:
  • Impersonate a client after authetication
  • Log on as a batch job
  • log on as a service


Comments

NK said…
Great article!!
I came across the same error when FIPS setting was being forced from GP.
Anonymous said…
Wow, you saved my day :)
I was running out of options and had a feeling it was probably related to server hardening (policies) but didn't know where to look.

Thanks again!
Anonymous said…
Thank you for this post. We searched and searched for the STS problem solution and this was it.
mansuri.isteyaq said…
disabling FIPS blocked my RDP access to the server. Even from Vspheare i wasnt able to connect.

Popular posts from this blog

Open SharePoint 2010/2013 Display, Edit, New Forms in Modal Dialogs

Ways to redirect http requests in SharePoint

Using WebDav on IIS 7 to access UNC Paths