Error in update script for Sharepoint hybrid search

Turner, Lorene 11 Reputation points
2021-08-11T17:37:17.977+00:00

Microsoft sent out an email saying that we have to run the script they provide, Update-FederatedHybridSearchForM365.ps1.

I'm running this on our dev farm to begin with, and I did have to run it a few times to get past some errors. However, it is stuck on this error:

EVO Successfully Registered as Trusted Token Issuer
Certificate was successfully retrieved.
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 1/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 2/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 3/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 4/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 5/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 6/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 7/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 8/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 9/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 10/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 11/12)
WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' credentials cannot be created right now, waiting
for proper Service Principal creation. Trying again (attempt 12/12)
Add-ServicePrincipalCredentials : An error occurred:
Microsoft.Online.Administration.Automation.MicrosoftOnlineException: Unable to complete this action. Try again later.
at Add-ServicePrincipalCredentials, E:\scripts\Update-FederatedHybridSearchForM365.ps1: line 226
at Set-S2SCertificateForSkill, E:\scripts\Update-FederatedHybridSearchForM365.ps1: line 212
at <ScriptBlock>, E:\scripts\Update-FederatedHybridSearchForM365.ps1: line 549
at <ScriptBlock>, <No file>: line 1
At E:\scripts\Update-FederatedHybridSearchForM365.ps1:212 char:9

  • Add-ServicePrincipalCredentials $SkillAppId $StsCertB64 12
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-ServicePrincipalCredentials

It looks like something is not being created properly.
I ran this on the app server, I plan on running it on all on prem servers in our dev farm once it runs successfully.
It looks like an error in the script, which was provided by MS, so I'm hoping you can help fix it?

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,236 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,686 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,818 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yi Lu_MSFT 17,461 Reputation points
    2021-08-12T09:50:12.993+00:00

    Hi @Turner, Lorene
    Since I don’t an environment which configured cloud hybrid search, I couldn’t test this script for you so that It will be hard to go on further troubleshooting. You could open a service request in Microsoft 365 admin center for better help.

    122669-image.png

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Turner, Lorene 11 Reputation points
    2021-08-12T17:35:55.457+00:00

    I've already done that, and the support team told me that they don't support on prem or hybrid Sharepoint, only cloud Sharepoint. So then I tried to use my MSDN membership to open a free ticket, and they told me that Sharepoint 2016 doesn't qualify for support because it's five years old.

    I really don't want to have to pay Microsoft to open a support ticket for something that is Microsoft's fault (their script).

    0 comments
  3. Raul Gomez Rodriguez 16 Reputation points
    2021-08-24T16:12:46.82+00:00

    Hello @Turner, Lorene ,

    Currently, what is the hybrid search scenario you're using? Performing the search from SharePoint Online and getting results back from SharePoint OnPrem, displayed on SharePoint Online? Just want to confirm first this is the scenario you're using.

    Also, can you please run the following PowerShell commands and let me know what the outcome is? This will give us an idea of what could be going wrong in your case. Thanks in advance for your help.

    Add-PSSnapin Microsoft.Sharepoint.Powershell
    Import-Module Microsoft.Powershell.Utility
    Import-Module MSOnline -force
    Import-Module MSOnlineExt -force
    Import-Module Microsoft.Online.Sharepoint.Powershell -force

    Connect-MsolService

    $SpoAppId = "00000003-0000-0ff1-ce00-000000000000"
    $SkillAppId = "c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1"

    Get-MsolServicePrincipal -AppPrincipalId $SkillAppId
    Get-MsolServicePrincipal -AppPrincipalId $SpoAppId

    $StsCertB64=(Get-MsolServicePrincipalCredential -AppPrincipalId $SpoAppId -ReturnKeyValues $true).Value

    New-MsolServicePrincipalCredential -AppPrincipalId $SkillAppId -Type asymmetric -Usage Verify -Value "$StsCertB64" -ErrorAction Stop

  4. Raffaele Colavecchi 1 Reputation point MVP
    2021-09-02T11:11:27.503+00:00

    Hi all,
    I have similar problem in next step of script after message: All Service Principal Credentials were successfully created and associated.

    WARNING: The service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' SPNs cannot be set right now, waiting for proper Service
    Principal creation. Trying again (attempt 12/12)
    Set-ServicePrincipalSPNs : An error occurred: Microsoft.Online.Administration.Automation.MicrosoftOnlineException: Unable to complete this action. Try again later.

    I analize SPNs that script want to register:
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1
    https://hybridsearchskill.cortana.ai
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1/MySP2019webappFQDN
    Microsoft.SharePoint
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1/*.sharepoint.com
    Office 365 SharePoint Online
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1/MySP2016webappFQDN
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1/MyoldSP2016TESTwebappFQDN
    c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1/MyoldSP2016anotherTESTwebappFQDN
    https://MySP2019webappFQDN

    No response or error in this command in the script (line304):
    Set-MsolServicePrincipal -AppPrincipalId $SkillAppId -ServicePrincipalNames $Spns -ErrorAction Stop

    My questions:
    Do you think that I need to wait M365 time?
    Or I need to manipulate automatic SPN that script want to register in new service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' Greenland Federated Search Bot Skill?
    If I have 2 farms (2016 and 2019), do I need to execute script in both farms?

    Many thanks.
    Raffaele

    0 comments
  5. Raul Gomez Rodriguez 16 Reputation points
    2021-09-02T15:19:52.813+00:00

    Hi @Raffaele Colavecchi ,

    Let me do some troubleshooting on my end and I will get back to you later today. Just one question to confirm, the SPNs that you just shared are the content of variable $Spns?

    Regarding your questions:

    Do you think that I need to wait M365 time?
    I think that some of the SPNs are not being properly handled by the Set-MsolServicePrincipal cmdlet, therefore, I don't think there is a problem on waiting. This is what I'm trying to understand first.

    I need to manipulate automatic SPN that script want to register in new service principal 'c3959f3a-5ad4-4d2b-b1f0-bc70f9a5d0a1' Greenland Federated Search Bot Skill?
    Let me confirm this to you in a few.

    If I have 2 farms (2016 and 2019), do I need to execute script in both farms?
    Yes, you will need to execute the script in both farms.