You’re offline. This is a read only version of the page.
Dear All,
I have installed and configured successfully the server-base integration.
For security reason we had to change the service account password.
Now when a user (system administrator included) tries to open a document location CRM returns a 401 unauthorized error.
In detail I obtained this error message:
<errorlog><sites>
<site>
<url>https://my-sharepoint-url</url>
<exception>Certificate: CN=domain.name with FindType: FindBySubjectDistinguishedName was not found in Store: My at StoreLocation: LocalMachine.</exception>
<errorcode>-2147088205</errorcode>
</site>
</sites></errorlog>
What can I do to fix?
Thank you.
*This post is locked for comments
We fixed our issue with the certificate not being in the Store by deleting certificates that we had on the front end servers that had the same distinguished name (Subject). The distinguished name must be unique on the server for your certificate, not just the thumbprint.
Hey, we are getting the same issue when setting this up on production environment (We have it working in our UAT environment). I tried the steps you mentioned but I'm still getting the same error. Does the certificate only need to be installed on the async servers or is it required elsewhere as well?
Ok Guys, I have found the solution also for this step.
I have to create a new New-SPTrustedSecurityTokenIssuer following the step reported into the official CRM documentation
New-SPTrustedSecurityTokenIssuer –Name "crm" –IsTrustBroker:$false –MetadataEndpoint https://CrmServer/XrmServices/2015/metadataendpoint.svc/json?orgName=OrganizationName
This is enought.
The AppPrincipal is already registered and CRM is configured.
I had only to register a new Trusted Security Token Issuer and in this way the JWT token is validated.
Ok, I have fixed this issue, but there is a new one.
In the meantime I have installed a new certificate because the old was expired.
I have installed it in my server and configured IIS tu use the new certificate.
But this action does not update the certificate used during the server base authentication.
I have used the following script to remove the hold certificate
Add-PSSnapin Microsoft.Crm.PowerShell
$Certificates = Get-CrmCertificate;
$alternativecertificate = "";
foreach($cert in $Certificates)
{
if($cert.CertificateType -eq "S2STokenIssuer")
{
$alternativecertificate = $cert;
}
}
Remove-CrmCertificate -Certificate $alternativecertificate
and add the new one:
.\CertificateReconfiguration.ps1 -certificateFile C:\certificate.pfx -password <password> -updateCrm -certificateType S2STokenIssuer -serviceAccount Contoso\CrmServiceAccount -storeFindType FindBySubjectDistinguishedName
Now the certificate is configured but when I try to see the document in SharePoint via CRM, it returns this error:
<errorlog><sites>
<site>
<url>https://my-sharepoint-url</url>
<exception>The remote server returned an error: (401) Unauthorized.</exception>
<errorcode>-2147088205</errorcode>
<correlation>7fef4e9e-95f3-0041-8d6c-90714f0e63aa</correlation>
</site>
</sites></errorlog>
And looking into the SharePoint log I get this error description:
SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.
Application error when access /_vti_bin/sites.asmx, Error=Invalid JWT token. Could not resolve issuer token.
So for me it is ovvious that I have to update the SharePoint Security Token Configuration, but I don't know how. Also in CRM there is not the button to start again the wizard.
Thanks
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,253
Super User 2024 Season 2
#2
Martin Dráb
230,188
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (