Error 500 when trying to browse a SharePoint site

Question

I have recently installed SharePoint Server 2016 on-premises. I can browse the CA site but all other sites are throwing an error 500. Below is a snippet of the event log error details.

WebHost failed to process a request. Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/62476613 Exception: System.ServiceModel.ServiceActivationException: The service '/SecurityTokenServiceApplication/securitytoken.svc' cannot be activated due to an exception during compilation. The exception message is: The extended protection settings configured on IIS do not match the settings configured on the transport. The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of Always while the WCF Transport has a value of WhenSupported.. ---> System.NotSupportedException: The extended protection settings configured on IIS do not match the settings configured on the transport. The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of Always while the WCF Transport has a value of WhenSupported. at System.ServiceModel.Activation.HostedAspNetEnvironment.ValidateHttpSettings(String virtualPath, Boolean isMetadataListener, Boolean usingDefaultSpnList, AuthenticationSchemes& bindingElementAuthenticationSchemes, ExtendedProtectionPolicy& extendedProtectionPolicy, String& realm) at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(String virtualPath, Boolean isMetadataListener) at System.ServiceModel.Activation.HostedAspNetEnvironment.ApplyHostedContext(TransportChannelListener listener, BindingContext context) at System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener[TChannel](BindingContext context) at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters) at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession) at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result) at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost) at System.ServiceModel.ServiceHostBase.InitializeRuntime() at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHost.InitializeRuntime() at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) --- End of inner exception stack trace --- at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity) Process Name: w3wp Process ID: 2588

The Health Analyser indicates that the Security Token Service is not available. May you please assist with this error. All application pools are started and the windows authentication mode is enabled together with the extended protection set to accept

Answer 1

SharePoint does not support the "Extended Protection = Accept/Required" setting. This can be found in an IIS site -> Authentication -> Windows Authentication (right click) -> Advanced Settings.

Note that applications, like SecurityTokenServiceApplication, can have different settings than their parent IIS site.

Answer 2

Set the Extended Protection to Off via IIS > Server > Sites > [Select site] > Authentication > Windows Authentication > Advanced Settings... (under Actions on the right panel).

Then do an IISRESET by running iisreset /noforce.

Reference: The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of WhenSupported while the WCF Transport has a value of Never.

Another post on this issue: SharePoint 2016, 500 Internal server error.