You’re offline. This is a read only version of the page.
437
Hi All,
version: BC 19.0.29844.30666
deployment: OnPrem
authentication type: AD synched to AAD
issue: as user is opening his OneDrive from BC WebClient error pops: Failed to acquire access token
System configuration:
1. App is registered on Azure
2. all the permissions are applied on App
3. redirect URI is configured to point to the localhost of the NST server
4. client certificate is issued and secret is generated
5. setup on page "Microsoft Sharepoint Connection Setup" is configured as expected
- for OneDrive integration
6. Self-signed certificate is issued and imported on the NST server
- permissions on the certificate are applied as expected (NST user has been granted with read and full permissions on the certificate)
7. NST is restarted
Question 1: Do I need to insert the certificate thumbprint in the NST config?
Question 2: Self-signed certificate is not uploaded to the App in Azure. Should I upload the certificate?
Thanks Damjan
Hello,
Question 1: Do I need to insert the certificate thumbprint in the NST config?
Answer Microsoft:
This is only required when authentication type is NavUserPassword / AccessControlService / UserName for NST. Only NavUserPassword / AccessControlService are considered to be classified as Modern Authentication. Microsoft recommends AccessControlService / Azure AD authentication. Since you mentioned you are using AD Synch Tool, I am pretty sure your company is using Azure AD authentication which is a great infrastructure choice with very limited administrative work.
Question 2: Self-signed certificate is not uploaded to the App in Azure. Should I upload the certificate?
Answer Microsoft:
This is not required for the scenario to work.
The failure to acquire access token is a generic error. It could be caused by many issues. You mentioned localhost as redirect uri. I am not in favor of using http://localhost. I am more in favor of using nav.domain.com:port/.../SignIn and nav.domain.com:port/.../OAuthLanding.htm. You can use a CNAME record to point nav.domain.com to the actual server or you can use an A-record in DNS.
In customsettings.config file there are a couple of keys important (which usually are filled with wrong values when we see incoming support requests) when things do not work out of the box:
1. PublicWebBaseUrl (must be httpS)
2. ClientServicesFederationMetadataLocation
3. WSFederationLoginEndpoint (no need to add wreplay value / wrealm should be similar to AppIdUri(
4. ExtendedSecurityTokenLifetime
5. AppIdUri (AppIdUri = wrealm = application client id (to be copied from Azure AD app registration)
Hope it helps or gives you a good start.
Share
Report
All responses (
Answers (
