I have the following issue when using BizTalk 2013 ("R1") and SharePoint Online:
I have a static send port configured to add data to one specific list in a list in a SharePoint Online environment.
I have authentication setup using the username and password and I'm 100% sure this is a correct username and password. I'm able to login using the same credentials via a browser without problem.
FYI: the account used is a "Microsoft" only account, so not listed as an organizational (work/school) account as well.
Whenever I try to send something to the list, I get the following error:
A message sent to adapter "Windows SharePoint Services" on send port "SP_SharePointOnline" with URI "wsss://company.sharepoint.com:443/sites/poc/Biztalk-Demo/TR/Lists/List%%201" is suspended.
Error details: [System.ServiceModel.CommunicationObjectFaultedException] The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
This error was triggered by the Windows SharePoint Services receive location or send port with URI wsss://company.sharepoint.com:443/sites/poc/Biztalk-Demo/TR/Lists/List%%201.
Windows SharePoint Services adapter event ID: 12310
I have enabled WCF and WIF tracing in the BizTalk BTSNTSvc.exe and BTSNTSvc.exe.config as follows:
<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Verbose">
<listeners>
<add name="wif" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
<listeners>
<add name="wcf" />
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="C:\logs\WCF64.svclog" type="System.Diagnostics.XmlWriterTraceListener" name="wcf" />
<add initializeData="C:\logs\WIF64.svclog" type="System.Diagnostics.XmlWriterTraceListener" name="wif" />
</sharedListeners>
I get WCF logging, but I don't have any WIF logging (as I would expect).
The WCF logging provided the following as to why the channel faults (extract from WCF Trace Viewer):
<S:Fault>
<S:Code>
<S:Value>S:Sender</S:Value>
<S:Subcode>
<S:Value>wst:FailedAuthentication</S:Value>
</S:Subcode>
</S:Code>
<S:Reason>
<S:Text xml:lang="en-US">Authentication Failure</S:Text>
</S:Reason>
<S:Detail>
<psf:error>
<psf:value>0x80048821</psf:value>
<psf:internalerror>
<psf:code>0x80041012</psf:code>
<psf:text>The entered and stored passwords do not match.
</psf:text>
</psf:internalerror>
</psf:error>
</S:Detail>
</S:Fault>
As said: I'm 100% sure this is the correct username and password!
I'm stuck here, anyone able to help me out or point me in the right direction?
Why don't I have any WIF logging?
Regards,
I think there is a problem in your URL. what if you try to use in the utl the link to your sharepoint site and the name of your List as "Destination Folder URL".
you can check this walkthrough
Related
We have a simple Azure App Service app and part of that app accesses a SharePoint doc library to upload files. This has worked for years but recently stopped working. We generated a new clientid and secret thinking that was the problem - still no luck. We have been working with Microsoft for 3 weeks on the problem and they have been useless - they don't even know what a doc library is most the time and all they do is "take screenshots and will get back."
I can get a token and use it to pull resources in Postman just fine.
The following is the code in web.config:
`<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ClientId" value="spclientid" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:ClientSecret" value="spclientsecret" />
<add key="ida:Domain" value="ourdomain.com" />
<add key="ida:TenantId" value="tenantid" />
<add key="ida:PostLogoutRedirectUri"
value="https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession/" />
</appSettings>`
Errors:1
Error :2
Error: 3
At our rope's end with this one, any ideas?
Thanks in advance.
• You must use ‘AllowAppOnlyPolicy=true’ in your manifest file for the registered Azure AD sharepoint app to acquire token from the registered application in Azure AD on behalf of the service principal created through your ‘App Service’. Also, you can grant the required permissions for accessing the sharepoint online website through your ‘App service’ as shown below in the snapshot through the Azure AD app registration portal instead of the ‘App manifest’ file: -
Thus, when you are providing the correct permissions to the ‘Sharepoint’ portal through this ‘Service Principal’ in Azure AD for OAuth 2.0 as well as configuring the ‘Authentication’ token and protocols too correctly, the Azure App Service should be able to access the Sharepoint doc library to upload files.
• Finally, please once again check the correct value of the secret ID and its value that is being used to connect to the sharepoint website on behalf of the SP app in Azure AD. Also, do check the correct tenant ID, domain and AADInstance of the registered SP for your app service, the details of which you have mentioned in the ‘App settings.json’ file of the code.
For more details and clarification on this, kindly refer to the below links explaining the issues regarding the ‘Sharepoint’ token helper issues and CSOM platform issues regarding various browsers that are used to try to access the same: -
https://github.com/SharePoint/sp-dev-docs/issues/6955
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient
I have website that is Hosted in a Azure App Service. are there any options in azure so that I can put a password on the website. Ideally without changing the websites code.
Just a basic password or user name and password, doesn't need to be google or facebook login or AD login.
It is a .net based website and I have seen a few options to do this, but it means I have to change the code of the website in someway or another.
Surely with all that sophisticated cloud technology, I can go in to the portal and set a password at a server level? - Or is the only way to make some kind of change to the application?
It is possible to enable Basic Authentication for Azure Web Apps with some settings in the applicationHost.xdt. You can load some modules in this file on the start of your Web App.
Steps:
Navigate to your WebApp in the Azure Portal
In the left menu, search for the header Development Tools an select Advanced Tools (Kudu)
Use the Debug Console > CMD tool, to navigate to the WebApp directory: \home\site
Create a file named: applicationHost.xdt
Paste the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Locator="Match(path)">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="RESPONSE_WWW_AUTHENTICATE" xdt:Locator="Match(name)" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
<rules xdt:Transform="InsertIfMissing">
<rule name="BasicAuthentication" stopProcessing="true" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)">
<match url=".*" />
<conditions>
<add input="{HTTP_AUTHORIZATION}" pattern="^Basic dXNlcjpwYXNzd29yZA==" ignoreCase="false" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized" statusDescription="Unauthorized" />
<serverVariables>
<set name="RESPONSE_WWW_AUTHENTICATE" value="Basic realm=Project" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Change the Basic Auth to your liking (default in example is: user:password)
Make sure the web.config rewrite rules don't contain <clear /> as this wil remove the effects from the applicationHost.xdt file
Save the file and Stop and Start your WebApp (a simple Restart will not suffice)
Notes:
Not sure if this works on Linux based WebApps..
You can add this step to you're deployment pipelines by using FTP
Update: I've noticed issues with applicationHost.xdt while using it on secondary Web App slots. Only the primary slot seems to work.
PS: Cross-post from my answer here.
You can use Authentication and authorization in Azure App Service.
Authentication/Authorization was previously known as Easy Auth.
Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app.
Source: Authentication and authorization in Azure App Service and Azure Functions.
EDIT:
The above is a solution to have a password protected App Service without changing any code whatsoever. At this point there is no alternative, as you can see in the open feedback issue Allow HTTP Basic authentication on basic apps
Hi everyone, we understand the demand for this feature, but we do not plan to support authentication at this level. We suggest using EasyAuth for this scenario.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
EDIT 2:
This method forces the user to use google or facebook, etc...
This is not true. You can also create a user in your Azure Active Directory and use that one with Easy Auth. The username would be something like username#<YOUR-TENANT>.onmicrosoft.com
I just start to learn new Office 365 API. I'm also not so deep understand server-side programming. I have VS2013 and all pre-requisites as pointed in the link bellow. Some example with Windows Desktop App worked. But when I get example https://code.msdn.microsoft.com/Office-365-APIs-Get-d75d1c8a - it fails during setting up in Service Manager after Sign-In to O365.
The error message - "Unsupported or invalid query filter clause specified for property '' appId of resource 'Service Principal' ". This message appear instead permissions in Service Manager. When I press OK - "Sign In" point in Service Manager still there - Authentication Failed.
Please help!
You need to remove the existing client id and settings from app.config (or web.config in web project). When I removed the following from App.config in the Office365Api.Demo project, I was able to register the app in my own Azure AD.
<add key="ida:ClientId" value="[put here your ClientID]" />
<add key="ida:RedirectUri" value="http://localhost/eb2c041088c22f67fecaffda29528308" />
<add key="ida:AuthorizationUri" value="https://login.windows.net/" />
I have problem to call Azure WCF Service from sandbox Visual Web Part Sharepoint 2010. All installed al local computer Windows 7 64 Ultimate -
Sharepoint Foundation 2010 to develop web parts and Visual Studio 2010 with Azure SDK. Web Service starting in local Azure Emulator, web part in local computer.
When i use standart master "Add Service Reference" to web part, that generate app.config, then throw error:
ServiceReference1.Service1Client serv = new ServiceReference1.Service1Client();
Label1.Text = serv.GetData(9);
Could not find default endpoint element that references contract 'ServiceReference1.IService1' in the ServiceModel client configuration section.
This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
When i create connection programmatically -
EndpointAddress adr = new EndpointAddress(new Uri("http://127.0.0.1:81/Service1.svc"));
BasicHttpBinding basic = new BasicHttpBinding();
ChannelFactory<ServiceReference1.IService1Channel> fact = new ChannelFactory<ServiceReference1.IService1Channel>(basic, adr);
Label1.Text = fact.CreateChannel().GetData(8);
throw error:
Request for the permission of type "System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089".
app.config webpart:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IService1" />
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://127.0.0.1:81/Service1.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IService1" contract="ServiceReference1.IService1"
name="BasicHttpBinding_IService1" />
</client>
</system.serviceModel>
</configuration>
web.config Azure WCF Service:
<?xml version="1.0"?>
<configuration>
<configSections>
</configSections>
<!-- To collect diagnostic traces, uncomment the section below or merge with existing system.diagnostics section.
To persist the traces to storage, update the DiagnosticsConnectionString setting with your storage credentials.
To avoid performance degradation, remember to disable tracing on production deployments.
<system.diagnostics>
<sharedListeners>
<add name="AzureLocalStorage" type="WCFServiceWebRole1.AzureLocalStorageTraceListener, WCFServiceWebRole1"/>
</sharedListeners>
<sources>
<source name="System.ServiceModel" switchValue="Verbose, ActivityTracing">
<listeners>
<add name="AzureLocalStorage"/>
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
<listeners>
<add name="AzureLocalStorage"/>
</listeners>
</source>
</sources>
</system.diagnostics> -->
<system.diagnostics>
<trace>
<listeners>
<add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
name="AzureDiagnostics">
<filter type="" />
</add>
</listeners>
</trace>
</system.diagnostics>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
P.S. When all moved to work deployment - Azure и Sharepoint Online - errors again. I create connection programmatically, because read, that in sandbox
solutions app.config not deployed with web part, we must duplicate his code in web.config Sharepoint 2010 - but in Sharepoint Online this file is closed from developers!
I have verified first that you sure can use SharePoint Designer 2010 to create an external content type that consumes and writes data to SQL Server, a Windows Communication Foundation (WCF) Service or a .NET type.
Next SharePoint BCS supports both SOAP and OData however WCF Data Services supports OData services, so to consume a WCF Data Service, you need OData base connectivity. Data view web parts can issue GET requests which works for OData feeds.
SharePoint Online Office 365 supports sandbox solutions which means .Net/C# code and solution deployed web parts are possible however I am not sure if connecting SP Web Parts is possible in the way that you describe because sandbox solutions don't support making outbound web calls.
Have you verified the last part?
You receive correct error from the SharePoint
Request for the permission of type "System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089".
This is because Sandbox restrictions. You can see all permissions which are denied to the sandbox code from this MSDN article. And WebPermission along with SocketPermission which are dinied for code in sandbox solution.
If you want to access external services, does not matter using the TCP or HTTP protocol you should move to the full trust solutions.
I would like to use integrated authentication to access a SQL database from a web part. It should use the IIS Application pool identity.
By default you will get the error:
System.Data.SqlClient.SqlException: Login failed for user 'SERVER\IUSR_VIRTUALMACHINE'.
Because in web.config impersonation is set to true:
<identity impersonate="true" />
I can set this to false and the database code will work. Anonymously accessed sites will also work. Any SharePoint site that uses authentication will fail however so this is not really a solution..
To solve this would I have to encapsulate all my database access code to run with elevated priviliges, is that how SharePoint does it internally? Somehow that doesn't seem like the most performant solution.
Is that still the way to go, just use SQL security to access databases from SharePoint custom web parts?
The <identity /> and <authentication /> elements in the web.config file will together determine the account that is used in to connect to SQL Server when using integrated authentication.
When <authentication mode="Windows" /> is configured, you're deferring to IIS to authenticate users. I'm guessing that your your web.config contains:
<authentication mode="Windows" />
<identity impersonate="true" />
and that IIS is configured to allow anonymous users. Setting <identity impersonate="true" /> causes IIS to pass the identity of the IIS anonymous access account to SQL Server.
As Lars point out, using SPSecurity.RunWithElevatedPrivileges will achieve what you want. I don't believe you'll see any noticeable impact on performance but that's something you can test :-)
Use SPSecurity.RunWithElevatedPrivileges to run your code in the context of the app pool identity.
This is incorrect. Because <identity impersonate="true" /> is set to true ASP.NET / IIS will run the thread as the user that is currently logged in (so not the app pool account but the actual user logged into the website).
Something else is going on here. Could you post your connection string for the custom database? (minus the private data off course)