Problems getting AzureCP to work in SharePoint 2013
Closed this issue · 18 comments
Hi,
I've been trying several times to configure AzureCP in a development environment and can't get it to work, so I'd like to ask for help. I am working with the latest version v21.0.20230703.25
The first thing I have tried is to configure it from the central administration page, but when I test the connection, I receive an error:
Reviewing the logs, the following message appears:
Unable to get access token for tenant 'XXXX.com' on cloud instance 'AzurePublic': An error response was returned by the OAuth2 server, but it could not be parsed. Please inspect the exception properties for details.
We don't have any type of proxy on the server, but as I saw in another post, I configured in the different application web.config. The result remains the same.
The next thing I tried was to configure it via powershell with the following script:
Add-Type -AssemblyName "AzureCP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=65dc6b5903b51636"
$config = [azurecp.AzureCPConfig]::GetConfiguration("AzureCPConfig")
# To view current configuration
$config
$config.ClaimTypes
# Update some settings, e.g. enable augmentation:
$config.EnableAugmentation = $true
$config.Update()
# Reset claim types configuration list to default
$config.ResetClaimTypesList()
$config.Update()
# Reset the whole configuration to default
$config.ResetCurrentConfiguration()
$config.Update()
# Add a new Azure AD tenant
$newAADTenant = New-Object azurecp.AzureTenant
$newAADTenant.Name = "XXXX.com"
$newAADTenant.ApplicationId = "62da2d5d-4156-4ab4-b75d-1dd7f7260d9f"
$newAADTenant.ApplicationSecret = "XXXXXXXXXXXXXXXXXXXXXXX"
$config.AzureTenants.Add($newAADTenant)
$config.Update()
In this case, the code runs correctly but when I try to find a user from the Picker.aspx, I get no results. The following message appears in the log:
Claims Search call failed. Error Message: Object reference not set to an instance of an object. Callstack: at Microsoft.SharePoint.WebControls.PeopleQueryControl.IssueClaimsQuery(String searchPattern, String providerID, String hierarchyNodeID, Int32 pageSize, SPProviderHierarchyTree spgroupTree)
Another point that I don't know if it's relevant but it catches my attention is that when I launch the following command from the server:
Invoke-WebRequest -Uri https://graph.microsoft.com
I do not receive any type of response, neither ok nor error. It stays running but does not respond even after several minutes. However, if I receive a 200 code with the following calls:
Invoke-WebRequest -Uri "https://login.windows.net" -UseBasicParsing
Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing
I hope someone can help me to solve the problem. If you require more information you can ask me without any problem.
Thank you very much in advance
Hi @javierordonezcastro, can you check the SharePoint logs and filter on Product/Area "LDAPCP" ?
Hi @Yvand , I have filtered in the SharePoint logs for the indicated product (with UlsViewer) but I do not receive any message. Do you need me to perform any specific action to capture the logs?
Thank you very much in advance
Hi @javierordonezcastro, my bad I typed the wrong product, it is "AzureCP" (not LDAPCP), sorry for that
Thank you very much @Yvand , no problem. Now I do see error messages. Mainly, those that are repeated are the following:
_[AzureCP] Unable to get access token for tenant 'xxxxx.com' on cloud instance 'AzurePublic': An error response was returned by the OAuth2 server, but it could not be parsed. Please inspect the exception properties for details.
[AzureCP] Unexpected error occurred Microsoft.Graph could not query tenant 'xxxxx.com': Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken Message: Access token is empty. Inner error: AdditionalData: date: 2023-08-01T16:25:20 request-id: 42c2c995-fb0c-4b24-998f-a84b6793f8cb client-request-id: 42c2c995-fb0c-4b24-998f-a84b6793f8cb ClientRequestId: 42c2c995-fb0c-4b24-998f-a84b6793f8cb , Callstack: at Microsoft.Graph.HttpProvider.d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.BaseRequest.d__38.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.BaseRequest.d__34`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.GraphServiceUsersCollectionRequest.d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at azurecp.AzureCP.<>c__DisplayClass60_0.<b__0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at azurecp.AzureCP.d__60.MoveNext()_
There seems to be a problem with the Microsoft Graph token, but I don't understand why it says it's empty.
For the tenant name you typed 'xxxxx.com'. Should be 'xxxxx.onmicrosoft.com'.
Thanks @julmsy , I have tried with the change in the tenant nomenclature but the errors are the same:
08/02/2023 04:19:24.89 w3wp.exe (0x2328) 0x1048 AzureCP Lookup 1337 Unexpected [AzureCP] Unexpected error occurred Microsoft.Graph could not query tenant 'XXXX.onmicrosoft.com': Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken Message: Access token is empty. Inner error: AdditionalData: date: 2023-08-02T09:19:24 request-id: 4ef733c4-6c02-440c-95dc-9abddb279e51 client-request-id: 4ef733c4-6c02-440c-95dc-9abddb279e51 ClientRequestId: 4ef733c4-6c02-440c-95dc-9abddb279e51 , Callstack: at Microsoft.Graph.HttpProvider.d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.BaseRequest.d__38.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.BaseRequest.d__34`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.GraphServiceUsersCollectionRequest.d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at azurecp.AzureCP.<>c__DisplayClass60_0.<b__0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at azurecp.AzureCP.d__60.MoveNext()
08/02/2023 04:19:24.89 w3wp.exe (0x2328) 0x1048 AzureCP Lookup 1337 Medium [AzureCP] Got 0 users/groups in 3170 ms from 'XXXX.onmicrosoft.com' with input 'soporte'
08/02/2023 04:20:19.22 w3wp.exe (0x2328) 0x1394 AzureCP Core 1337 Verbose [] Getting new access token for tenant 'XXXX.onmicrosoft.com' on cloud instance 'AzurePublic' using client ID 62da2d5d-4156-4ab4-b75d-1dd7f7260d9f and a client secret. 927bcca0-9089-b08b-04d5-4b9760f19b62
08/02/2023 04:20:19.37 w3wp.exe (0x2328) 0x23E0 AzureCP Core 1337 Unexpected [] Unable to get access token for tenant 'XXXX.onmicrosoft.com' on cloud instance 'AzurePublic': An error response was returned by the OAuth2 server, but it could not be parsed. Please inspect the exception properties for details.
@javierordonezcastro it is hard to say what exactly goes wrong based only on this error message.
On the SharePoint server, can you try to retrieve the access token as documented on this page and check if it works?
If it does not help, I suggest you use Fiddler as a proxy to inspect the actual traffic, as documented on same page.
Thank you very much once again @Yvand
I have tried to recover the token with powershell on the SharePoint server and the result has been satisfactory after making some modifications:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1691513032",
"not_before": "1691509132",
"resource": "https://graph.microsoft.com/",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25j....."
}
I have also captured the traffic with Fiddler while doing a user lookup in a people picker and the answers are code 200
Despite all this, it still does not appear any results when writing testing with different users.
I don't know if this can give you any more clues about what I might be doing wrong
Thank you very much
@javierordonezcastro you are close, you don't see the actual traffic because you do not decrypt the HTTPS traffic in Fiddler options.
Can you do that, ensure that you trust the Fiddler root certificate (otherwise AzureCP won't connect) and try again ?
Thank you very much @Yvand
After following your instructions, now in fiddler I receive a 401 error from the call to graph with the following response:
{"error":{"code":"InvalidAuthenticationToken","message":"Access token is empty.","innerError":{"date":"2023-08-09T09:51:46","request-id":"195b6fec-fbf7-4924-b628-5f7280215394","client-request-id":"195b6fec-fbf7-4924-b628-5f7280215394"}}}
It gives me the feeling that there may be some kind of lack of permissions but I don't understand exactly at what point because through powershell I do receive the token
Ok, the access token is issued by login.microsoftonline.com, and somehow it does not issue it.
Can you inspect the requests/responses to login.microsoftonline.com to see why the access token is not issued?
Thank you very much @Yvand , I see that the answer is the following:
_HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 06:39:20.322
Connection: close
fiddler.network.https> HTTPS handshake to login.microsoftonline.com (for #85) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. < An existing connection was forcibly closed by the remote host_
I don't know if it's something normal but it strikes me that it appears as HTTP when in theory it should be HTTPs
Regards
It looks like the Fiddler root cert is not trusted, can you double check that? And maybe try to restart the server?
Sorry @Yvand , I don't have much experience with Fiddler but from what I've verified it should be correct. When I activated "Decrypt HTTPS traffic" option for the first time, the wizard jumped out and I trusted it. Likewise, I have made use of the following option:
The following window popped up and I confirmed:
I have subsequently restarted the server but the result is still the same:
Do you think I should validate something else?
Thank you very much in advance
The last screenshot shows that the traffic is successfully decrypted.
You need to capture the first requests to login.microsoftonline.com, when AzureCP initializes and attempts to get the access token.
For that, you can recycle the application pool of the site, and repro the issue.
Thanks @Yvand , I have tried to restart the application pool and recapture and in all calls to login.microsoftonline.com I receive the same response:
fiddler.network.https> HTTPS handshake to login.microsoftonline.com (for #46) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. < An existing connection was forcibly closed by the remote host
It's really not clear to me when AzureCP retrieves the access token. I understand that if I log in to the web app (after reboot), the first time I use the peoplepicker the token should be retrieved, is that correct?
Checking the sharepoint logs again, I see that just before searching on a peoplepicker is when it tries to retrieve the token and gets the error:
[AzureCP] Unexpected error occurred while getting access token for tenant 'xxx.onMicrosoft.com' on cloud instance 'AzurePublic': System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send., Callstack:
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Hello again @Yvand , thank you very much for all your time and sorry but I already got it to work. I am going to comment the solution because although it is possible that it is something unusual but maybe it can help someone in the future.
I saw that in Fiddler the TLS 1.2 protocol was not enabled and I included it:
When recapturing the traffic with this change, I saw that the graph call was already returning an error response indicating that TLS 1.2 or higher needed to be enabled. After this, I saw that our server did not have it enabled and I followed the steps to enable it https://support.mailessentials.gfi.com/hc/en-us/articles/360015120800-Enabling-TLS-Configuration-on-IIS-SMTP-Server-
Once the server is enabled and restarted, the people pickers already correctly return values. I have to adjust some operating issues but the connection is already made,
Regards
Very nice catch, and thanks for sharing!