web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Error in server-based ...
Microsoft Dynamics CRM (Archived)

Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

(1) ShareShare
ReportReport
Posted on by Community Member

Hi everyone!

I am trying to configure server-based authentication with Microsoft Dynamics CRM on-premises IFD and SharePoint on-premises, do according to the instructions given here: technet.microsoft.com/.../dn949332.aspx after all the action at an attempt to enable server-based SharePoint integration to CRM and get an authorization error 401.

On the SharePoint side I use this one code of the article, however added the missing pieces:

$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
$c.AllowOAuthOverHttp= $true
$c.Update()

$i = New-SPTrustedSecurityTokenIssuer –Name "crm" –IsTrustBroker:$false -MetadataEndpoint "http://crm.domain.local/XrmServices/2015/metadataendpoint.svc/json?orgName=CRMOrgName"

$CrmRealmId = "1ab70db4-70f2-49fa-9713-9990863f365d"
$Identifier  = "00000007-0000-0000-c000-000000000000@" + $CrmRealmId

$site = Get-SPSite "https://portal.domain.net/sites/crm/"
Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $Identifier -DisplayName "crm"

$app = Get-SPAppPrincipal -NameIdentifier $Identifier -Site "https://portal.domain.net/sites/crm/"
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right "FullControl" -EnableAppOnlyPolicy
#"Set up claims-based authentication mapping"
New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

Logs on SharePoin server contains the following errors:

02.26.2016 09:35:17.75	w3wp.exe (0x1BEC)	0x1880	SharePoint Portal Server	User Profiles	aiadx	High	Error converting nameId to SecurityIdentifier. This means caller is sending old format NameId (UPN value). This is not how O15 will ship.. The exception message is 'System.ArgumentException: Value was invalid.  Parameter name: sddlForm

02.26.2016 09:35:17.75	w3wp.exe (0x1BEC)	0x1880	SharePoint Portal Server	User Profiles	ae0s1	High	Identity claims mapped to '0' user profiles. Claims: [nameid: 'UserPupkin', nii: 'windows', upn: '', smtp: '', sip: ''], User Profiles:

02.26.2016 09:35:17.76	w3wp.exe (0x1BEC)	0x1880	SharePoint Portal Server	User Profiles	ae0sr	Unexpected	UserProfileException caught.. Exception Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     

02.26.2016 09:35:17.76	w3wp.exe (0x1BEC)	0x1880	SharePoint Portal Server	User Profiles	ae0su	High	The set of claims could not be mapped to a single user identity. Exception 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator. has occured. 

02.26.2016 09:35:17.76	w3wp.exe (0x1BEC)	0x1880	SharePoint Foundation	Claims Authentication	ae0tc	High	The registered mappered failed to resolve to one identity claim. Exception: Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.

02.26.2016 09:35:17.76	w3wp.exe (0x1BEC)	0x1880	SharePoint Foundation	Claims Authentication	af3zp	Unexpected	STS Call Claims Saml: Problem getting output claims identity. Exception: 'Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.

02.26.2016 09:35:17.84	w3wp.exe (0x2338)	0x2F34	SharePoint Foundation	Claims Authentication	adlmz	High	[Forced due to logging gap, cached @ 02/26/2016 09:35:16.72, Original Level: Verbose] SPRequestSecurityToken: SerializeProperty() serializing elementname:{0}, with value:{1}.

02.26.2016 09:35:17.90	w3wp.exe (0x2338)	0x2F34	SharePoint Foundation	Claims Authentication	fsq7	High	SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.

02.26.2016 09:35:17.92	w3wp.exe (0x2338)	0x2F34	SharePoint Foundation	Claims Authentication	8306	Critical	An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs..

02.26.2016 09:35:18.08	w3wp.exe (0x1BEC)	0x1894	SharePoint Foundation	Claims Authentication	amcbl	Medium	Trusted provider is missing. Provider: '00000003-0000-0ff1-ce00-000000000000'

02.26.2016 09:35:18.09	w3wp.exe (0x1BEC)	0x1894	SharePoint Foundation	Claims Authentication	af3y9	Medium	STS Call Claims Saml: Successfully requested oauth claim identity.

Profile Service is running and synchronized it with AD. I do not know where smoter and where to look.

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Bas van de Sande Profile Picture
    Bas van de Sande 4,383 on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Sergey,

    Did you enable the claims to windows service on the SharePoint server?

    www.topsharepoint.com/enabling-or-disabling-claims-based-authentication

    You need to have claims enabled, otherwise you are not able to connect to SharePoint from within CRM. I enclosed a link in which is explained how to configure SharePoint properly

    Bas

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Bas!

    All Web Applications are set to Claims Based Authentication, except Central Administration site.

    Sergey

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Im having the exact same problem. logged 35 hours with microsoft on phone and still no resolution. You ever figure this out?

  • Bas van de Sande Profile Picture
    Bas van de Sande 4,383 on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Sergey,

    a couple of questions:

    are you able to access the SharePoint server using a browser from the server CRM is running on?  Do you get a login dialog on SharePoint?

    are both servers running on the same domain?

    in case you are not running in the same domain, are there any trusts between the domains?

    Bas

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    are you able to access the SharePoint server using a browser from the server CRM is running on?  Yes i can

    Do you get a login dialog on SharePoint? The first time yes I do and i login with my windows credentials and I am in. If I add it to my local intranet sites I do not get the pop up.

    are both servers running on the same domain? Yes they are both running on the same domain (they dont have the same .com for the web application (IIS)) but the servers are on the same internal domain.

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Bas!

    Yes, access from CRM server is.

    On the SharePoint server password input box is not issued, the address * .domain.net added to trusted sites.

    Domain is one in one forest.

    Sergey.

  • Bas van de Sande Profile Picture
    Bas van de Sande 4,383 on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Sergey,

    did you ensure your SharePoint environment meets all requirements?

    Below I listed the list from the MS KB article you mentioned:

    â—¦SharePoint must be configured for a single farm deployment only.

    â—¦In order to use the default claims-based authentication mapping, the Active Directory domain where the SharePoint server and Microsoft Dynamics CRM server are located must either be the same or the domain where SharePoint server is located must trust the domain where Microsoft Dynamics CRM Server is located.

    â—¦The SharePoint website must be configured to use TLS/SSL (HTTPS) and the certificate must be issued by a public root Certificate Authority.

    â—¦The App Management Service Application Proxy must be created and started.

    --> this one is tricky to set up! Verify if the thing works by adding apps to the app store!

    â—¦A User Profile Service Application must be configured and started.

    --> you have to verify its workings

    Bas

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Bas!

    1) Single Farm - I understand that it is within the SP deploy only one server farm? If yes, yes!))

    2) SharePoint and CRM domain one.

    3) SharePoint use HTTPS certificate and have confidence.

    4) App Management Service Application Proxy - Started. The service works like this understand - application from the SharePoint Store to download site and deliver.

    5) User Profile Service Application - Started. Profiles are synchronized and associated with the function User Profile Service are working.

    Sergey

  • Bas van de Sande Profile Picture
    Bas van de Sande 4,383 on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    Hi Sergey,

    did you check the troubleshooting guide:  technet.microsoft.com/.../dn946906.aspx

    an alternative might be:

    technet.microsoft.com/.../dn894708.aspx

    Bas

  • Community Member Profile Picture
    Community Member on at
    RE: Error in server-based authentication with Microsoft Dynamics CRM on-premises and SharePoint on-premises

    And generally somebody successfully do such a bunch?

    Here's another interesting point. Here is the code for OneDrive integration does not work. (https://technet.microsoft.com/en-us/library/26cad581-33b0-4025-9964-d289363c4245#addOneDrive)

    Add-Pssnapin *
# Access WellKnown App principal
[Microsoft.SharePoint.Administration.SPWebService]::ContentService.WellKnownAppPrincipals

# Create WellKnown App principal
$ClientId = "00000007-0000-0000-c000-000000000000"
$PermissionXml = "<AppPermissionRequests AllowAppOnlyPolicy=""true""><AppPermissionRequest Scope=""sharepoint/.../tenant"" Right=""FullControl"" /><AppPermissionRequest Scope=""sharepoint/.../tenant"" Right=""Read"" /><AppPermissionRequest Scope=""http://sharepoint/search"" Right=""QueryAsUserIgnoreAppPrincipal"" /></AppPermissionRequests>"

$wellKnownApp= New-Object -TypeName "Microsoft.SharePoint.Administration.SPWellKnownAppPrincipal" -ArgumentList ($ClientId, $PermissionXml)

$wellKnownApp.Update()


    This link (msdn.microsoft.com/.../dn778185.aspx) were traces of class "SPWellKnownAppPrincipal" but says that it is no longer available)))

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
HR-09070029-0 Profile Picture

HR-09070029-0 2

#2
ED-30091530-0 Profile Picture

ED-30091530-0 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans