I am facing issue in implementing Federated Search between SharePoint 2013 Azure and SharePoint online.
SharePoint 2013 Azure uses ADFS for authentication. Azure active directory and on-premise active directories are not in sync though.
I have followed all the steps that have been mentioned in following two links –
https://technet.microsoft.com/EN-US/library/dn607307.aspx
https://technet.microsoft.com/en-us/library/dn197169.aspx
However when I am trying to test the Federated result source, I are getting following error –
Web error: System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()
at Microsoft.SharePoint.Client.ClientContext
I am not sure if we are missing something which is implied or not mentioned in the technet links.
Grateful if someone can help in resolving this issue.
Finally after a month of effort and taking help of Microsoft support, we have resolved the issue. The problem was the value of variable $spcn.
In the article, it was not very clear to which domain it has to be set.
$spcn - The root domain name of your public domain. This value should not be in the form of a URL; it should be the domain name only, with no protocol.
An example is adventureworks.com.
We were initially setting it to domain of SharePoint Online. Finally after lot of hit and trial, we found that we have to add domain of both SharePoint Online and SharePoint 2013. It worked after that.
Related
We are trying to connect an internal application to Sharepoint 365. The goal is to read data from Sharepoint 365 lists and Excel documents. We want to take advantage of the fact we already use OAuthentication and basically our users login with their own Windows credentials. Now, to accomplish that we first need to register an application with Sharepoint which we did using this link:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/appregnew.aspx
After that we also need to get an authorization code for clients to login with their Windows account. We do that with this URL:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/OAuthAuthorize.aspx?client_id=14f0e39c-1234-42ea-bed5-ee5c7c834655&scope=List.Read&response_type=code&redirect_uri=https%3A%2F%2Fmysite.mycompany.com%3A9090%2Foauth%2F2.0%2FredirectURL.jsp
When we run that last link we get the error below:
Sorry, something went wrong
There is no claims identity. Please make sure the web application is configured to use Claims Authentication.
TECHNICAL DETAILS
Troubleshoot issues with Microsoft SharePoint Foundation.
Correlation ID: 367ee69f-5066-0000-e1ef-cee55f7b7000
As you can see, the error is not very helpful. I have done already lots of research and answers vary from lack of higher level of access, to invalid URL request. I have elevated access and the URL is well constructed. Yet the error persist.
So, my question, what is the meaning of the error? Why is not executing?
We logged a Microsoft Premier Support ticket and behold! the problem has been fixed.
This seems like a simple question but I'm struggling to find an answer anywhere. Help! ;-)
I'm trying to use Microsoft Graph to read SharePoint lists/libraries in a SharePoint site, however this is just for one site (for our department) amongst many on our SharePoint online. I've registered an Azure AD app (with secret etc...) and requested 'application' permissions for the Microsoft Graph ('Create, edit, and delete items and lists in all site collections') and its saying 'admin consent required' is 'yes' and its currently flagged as 'not granted for *****'.
My boss is now asking - with a worried tone ;-)
will this mean the app can basically read/write/delete on all sites in
the organisations SharePoint (not just our site) if our IT department
'consent'?
I said I don't know actually... I guess I'm not entirely clear on which permissions this is for, is it just to call the Microsoft Graph API or is it for this app to access SharePoint itself? I've searched for answers to this but I'm struggling to find anywhere that says anything about giving your app permissions in SharePoint, it all seems to be about getting permissions for the Microsoft Graph to access SharePoint.
I just want the app to have permissions to read/write lists/files in this one SharePoint site, not any others (we have loads of sites for other departments). I feel like we should be adding permissions for this app (its service principal?) somewhere on the SharePoint site we want to access, but what permissions do I need to setup and where so this app can only access this one site?
Azure AD app registration now allows for granular access to SharePoint site collection, there is a new option Sites.Selected under Azure AD App Registration - Request API Permissions - refer to https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
Unfortunately, this feature is still missing. It is not possible to limit the permissions to only one SharePoint site. It's either access to all SharePoint sites in the organisation or none. Check out the user vote for more information: here. Microsoft is still working on providing a way to limit the access to specific resources.
I'm trying to use the AadHttpClient library that comes with SPFx to connect to a custom API secured by an app registration in Azure AD.
However when I run the web part in the workbench, SharePoint Online (in the tenant _layouts) I get an error in the console saying that the feature is experimental.
Error: The requested operation is part of an experimental feature that is not supported in the current environment.
As far as I can make out from this article, it should be in general release.
When connecting to Azure AD-secured APIs, we recommend that you use the MSGraphClient and AadHttpClient classes, which are now generally available. For more information about the recommended models, see Connect to Azure AD-secured APIs in SharePoint Framework solutions and Use the MSGraphClient to connect to Microsoft Graph.
When I go to the API management page in SP Admin site I get a popup stating
***Access to Azure Active Directory resources using the SharePoint Framework will be available soon.
So I'm a bit confused.
I also get an error on the API management page saying..
A null value was found with the expected type 'Edm.String[Nullable=False]'. The expected type 'Edm.String[Nullable=False]' does not allow null values.
I also get the same error when I try in PowerShell running
Get-SPOTenantServicePrincipalPermissionRequests
I'm not 100% sure I understand the relevance of the API management page - does an admin need to approve just once for the web part then all users are good to go?
I was having the same issue. The github thread can be found here. What fixed it for me was adding the account I was using as a site collection admin.
Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName
I am trying to set up a FTP access to a website which is hosted on Azure:
From what I understand, there are two options: You can choose Username and Password in the management console when resetting your deployment credentials. Or you download the publishing profile and use the credentials which are shown in the FTP section of the XML.
However, none of the two seem to work for me. I keep getting the response:
530 User cannot log in.
The ftp server seems to be in place, just the credentials are wrong, obviously. I am 100% sure that I have no typos going on.
What am I missing here? Is there anything I need to configure prior to using FTP with the credentials provided by Azure?
It's probably that:
And more here:
MSDN Thread
Here is the link to the Windows Azure Service Dashboard:
http://www.windowsazure.com/en-us/support/service-dashboard/
30 Oct 2013
We are aware of an issue being reported regarding Windows Azure Web Sites FTP data access. We are responding to this issue with the highest level of priority. Further updates will be published to keep you apprised of the impact. We apologize for any inconvenience this causes our customers.
Last update: 31 Oct 2013 6:46 AM UTCWe are narrowing in on the issue with full engineering engagement. Web Site customers are advised to publish content using Web Deploy or Git which are fully functional. For details on using these methods, visit Azure.com and search for "Websites with Webmatrix" or "Publishing with Git". We apologize for any inconvenience this causes our customers and will provide an update at 2pm UTC.
answered Oct 31 '13 at 11:02
Cas Bloem
613
We apologize for any inconvenience this causes customers using FTP to publish content to Web Sites. Web Site customers are advised to use Web Deploy or Git which are fully functional. For details visit Azure.com and search for "Websites with Webmatrix" or "Publishing with Git". Engineering is fully focused on mitigation options. We will provide an update by 8pm UTC.
This is because userId and password you are using is not to be used while connecting.
There is a Get publish profile option in overview.Download it.Open it with notepad or visual studio.There is another userId and Password given.Use that.
For more info refer this official guide
I have created a custom claims provider to allow users to sign into SharePoint from an existing website. This issues claims including a claim of UPN in the format username#domain. The user can log in fine until I enable mapToWindows and useWindowsTokenService under samlSecurityTokenRequirement in the SharePoint web application web.config. At this point I get a standard SharePoint error message, and the following exception is visible in the trace.
Exception fetching current thread user in SPUtility.CacheClaimsIdentity: Exception of type 'System.ArgumentException' was thrown.
Parameter name: identity 0.00143314303912927 0.001357
Runtime Tag(tkau) System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedValue
at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaimFromFormsSuffix(String encodedValue)
at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedSuffix)
at Microsoft.SharePoint.ApplicationRuntime.SPHeaderManager.AddIsapiHeaders(HttpContext context, String encodedUrl, NameValueCollection headers)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PreRequestExecuteAppHandler(Object oSender, EventArgs ea)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I think that the c2wts impersonation part is working correctly because if I disable the AD account represented by the passed UPN claim then I get a different "access is denied" error shown in SharePoint when trying to log in as that user.
Also in the SharePoint log it does appear that the UPN has been converted to a Windows AD account because I get the following in the log:
Verbose ____Current User=i:DOMAINNAME\SSO_administrator 7b4eac31-d017-429c-87f2-a3100ece6797
Update
It looks like maybe this isn't a supported setting to use within SharePoint. However if I leave the setting off, it seems that Performance Point and Excel Services reports embedded in the SharePoint site do not work properly. I get errors like:
The data connection uses Windows Authentication and user credentials could not be delegated. (Excel)
$Resources:ppsma.ServerCommon, ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim; (Performance Point SSRS report)
Is there a way around this? I need the user's UPN to be the account used to query the SSAS data behind these, so it is not feasible to use fixed connection strings.
I think there are a lot of information on a SharePoint forum about Claims-based access platform (Geneva) forums
This is some of the searches which hopefully will helps you to manage the issue:
Claims Login Web Part for SharePoint Server 2010
SP2010 Custom Role Provider - Roles.GetRolesForUser(userName) raises exception
How do i redirect the user from Active Directory or Sqlmembership provider to sharepoint default.aspx page or home page after logged in using custom log in page.
Vittorio Bertocci's Blog
SAML 2.0 Protocol Blog
SAML 2.0 Windows Identity Foundation Extension
It turns out that the mapToWindows config value is not supported within SharePoint. You have to rely on each part of SharePoint being claims aware and converting the token themselves. This is a bit of pain because PerformancePoint and Excel Services are not claims aware, so you end up being stuck using Windows auth if your SSAS cube requires AD security.