Troubleshooting server-based authentication

 

Updated: November 28, 2016

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online


Review the error log for information about why the site doesn’t validate. To do this, click Error Log in the Enable Server-Based SharePoint Integration wizard after the validate sites stage is completed.

The enable server-based SharePoint integration validation check can return one of the following four types of failures.

This failure indicates that the SharePoint server could not be accessed from where the validation check was run. Verify that the SharePoint URL that you entered is correct and that you can access the SharePoint site and site collection by using a web browser from the computer where the Enable Server-Based SharePoint Integration wizard is running. More information: TechNet: Troubleshooting hybrid environments (SharePoint)

This failure can occur when one or more of the server-based authentication configuration steps were not completed or did not complete successfully. More information: Set up SharePoint integration with Microsoft Dynamics 365

This failure can also occur if an incorrect URL is entered in the Enable Server-Based SharePoint Integration wizard or if there is a problem with the digital certificate used for server authentication.

This failure can occur when the claims-based authentication types do not match. For example, in a hybrid deployment such as Microsoft Dynamics 365 (online) to SharePoint on-premises, when you use the default claims-based authentication mapping, the Microsoft account email address used by the Microsoft Dynamics 365 (online) user must match the SharePoint user’s Work email. More information: Selecting a claims-based authentication mapping type

This failure indicates that the SharePoint edition, version, required service pack, or required hotfix are missing. For more information, see SharePoint Version Not Supported

Issues that affect server-based authentication can also be recorded in SharePoint logs and reports. For more information about how to view and troubleshoot SharePoint monitoring, see the following topics. View reports and logs in SharePoint 2013 and Configure diagnostic logging in SharePoint 2013

This section describes the known issues that may occur when you set up or use Microsoft Dynamics 365 and SharePoint server-based authentication.

Applies to: Microsoft Dynamics 365 (online) with Microsoft SharePoint Online, Microsoft Dynamics 365 (online) with Microsoft SharePoint on-premises

This issue can occur when the claims-based authentication mapping that is used provides a situation where the claims type values don’t match between Microsoft Dynamics 365 and SharePoint. For example, this issue can occur when the following items are true:

  • You use the default claims-based authentication mapping type, which for Microsoft Dynamics 365 (online) to SharePoint Online server-based authentication uses the Microsoft account unique identifier.

  • The identities used for Microsoft Office 365, Microsoft Dynamics 365 (online) administrator, or SharePoint Online administrator don’t use the same Microsoft account, therefore the Microsoft account unique identifiers don’t match.

Applies to Microsoft Dynamics 365 Server configured with a connection to Exchange Online or SharePoint Online. The message states "Please update your certificate or Exchange Online integration will stop functioning in <number> days."

To resolve this issue, update the x509 digital certificate issued by a trusted certificate authority used to authenticate between Dynamics 365 (on-premises) and Exchange Online or SharePoint Online.

Applies to: Microsoft Dynamics 365 (online) with Microsoft SharePoint on-premises, Microsoft Dynamics 365 on-premises with SharePoint Online, Microsoft Dynamics 365 on-premises with SharePoint on-premises

This issue can occur when there are two self-signed certificates located in the local certificate store that have the same subject name.

Notice that this issue should only occur when you use a self-signed certificate. Self-signed certificates should not be used in production environments.

To resolve this issue, remove the certificates with the same subject name that you don’t need using the Certificate Manager MMC snap-in and note the following.

System_CAPS_importantImportant

It can take up to 24 hours before the SharePoint cache will begin using the new certificate. To use the certificate now, follow the steps here to replace the certificate information in Microsoft Dynamics 365.

To resolve this issue by following the steps in this article, the existing certificate cannot be expired.

Replace a certificate that has the same subject name

  1. Use an existing or create a new and self-signed certificate. The subject name must be unique to any certificate subject names that are registered in the local certificate store.

  2. Run the following PowerShell script against the existing certificate, or the certificate that you created in the previous step. This script will add a new certificate in Microsoft Dynamics 365, which will then be replaced in a later step. For more information about the CertificateReconfiguration.ps1PowerShell script see, Prepare Microsoft Dynamics 365 Server for server-based integration.

    CertificateReconfiguration.ps1 -certificateFile <Private certificate file (.pfx)> -password <private-certificate-password> -updateCrm -certificateType AlternativeS2STokenIssuer -serviceAccount <serviceAccount> -storeFindType FindBySubjectDistinguishedName
    
  3. Remove the AlternativeS2STokenIssuer type certificate from the Dynamics 365 configuration database. To do this, run these PowerShell commands.

    Add-PSSnapin Microsoft.Crm.PowerShell 
    $Certificates = Get-CrmCertificate; 
    $alternativecertificate = ""; 
    foreach($cert in $Certificates) 
    {    if($cert.CertificateType -eq "AlternativeS2STokenIssuer") { $alternativecertificate = $cert;}    
    
    Remove-CrmCertificate -Certificate $alternativecertificate
    

Applies to: SharePoint on-premises versions used with Microsoft Dynamics 365.

The remote server returned an error: (400) Bad Request error message can occur after the certificate installation, such as when you run the CertificateReconfiguration.Ps1 script.

The Register-SPAppPrincipal: The requested service, 'http://wgwitsp:32843/46fbdd1305a643379b47d761334f6134/AppMng.svc' could not be activated error message can occur when you grant Microsoft Dynamics 365 permission to access SharePoint by running the Register-SPAppPrincipal command.

To resolve both of these errors after they occur, restart the web server where the Microsoft Dynamics 365 web application is installed. More information: Start or Stop the Web Server (IIS 8)

Applies to: All Microsoft Dynamics 365 versions when used with Microsoft SharePoint Online

This error can be returned to the user who doesn’t have site permissions or the user has had permissions removed from the SharePoint site where Microsoft Dynamics 365 document management is enabled. Currently, this is a known issue with SharePoint Online where the error message that is displayed to the user doesn’t indicate that the user’s permissions are not sufficient to access the site.

© 2016 Microsoft. All rights reserved. Copyright

Community Additions

ADD
Show: