Troubleshooting server-based authentication
Troubleshooting the Enable server-based SharePoint Integration wizard
Review the error log for information about why the site doesn’t validate. To do this, click Error Log in the Enable Server-Based SharePoint Integration wizard after the validate sites stage is completed.
The enable server-based SharePoint integration validation check can return one of the following four types of failures.
Failed Connection
This failure indicates that the SharePoint server could not be accessed from where the validation check was run. Verify that the SharePoint URL that you entered is correct and that you can access the SharePoint site and site collection by using a web browser from the computer where the Enable Server-Based SharePoint Integration wizard is running. More information: Troubleshooting hybrid environments (SharePoint)
Failed Authentication
This failure can occur when one or more of the server-based authentication configuration steps were not completed or did not complete successfully. More information: Set up SharePoint integration
This failure can also occur if an incorrect URL is entered in the Enable Server-Based SharePoint Integration wizard or if there is a problem with the digital certificate used for server authentication. Similarly, this failure can occur as a result of a SharePoint site rename when the URL is not updated in the corresponding SharePoint Site record. More information: Users receive "You don't have permissions to view files in this location" message
Failed authorization or 401 unauthorized error
This failure can occur when the claims-based authentication types do not match. For example, in a hybrid deployment such as customer engagement apps to SharePoint on-premises, when you use the default claims-based authentication mapping, the Microsoft account email address used by the user must match the SharePoint user’s Work email. More information: Define custom claim mapping for SharePoint server-based integration
SharePoint Version Not Supported
This failure indicates that the SharePoint edition, version, required service pack, or required hotfix are missing.
Troubleshooting SharePoint
Issues that affect server-based authentication can also be recorded in SharePoint logs and reports. For more information about how to view and troubleshoot SharePoint monitoring, see the following topics. View reports and logs in SharePoint 2013 and Configure diagnostic logging in SharePoint 2013
Known issues with server-based authentication
This section describes the known issues that may occur when you set up or use customer engagement apps and SharePoint server-based authentication.
Failed authentication is returned when validating a SharePoint site even though you have appropriate permission
Applies to: customer engagement apps with SharePoint Online, customer engagement apps with SharePoint on-premises.
This issue can occur when the claims-based authentication mapping that is used provides a situation where the claims type values don’t match between customer engagement apps and SharePoint. For example, this issue can occur when the following items are true:
You use the default claims-based authentication mapping type, which for customer engagement apps to SharePoint Online server-based authentication uses the Microsoft account unique identifier.
The identities used for Microsoft 365, Dynamics 365 administrator, or SharePoint Online administrator don’t use the same Microsoft account, therefore the Microsoft account unique identifiers don’t match.
“Private key not found” error message returned when you run the CertificateReconfiguration.ps1 Windows PowerShell script
This content also applies to the on-premises version.
This issue can occur when there are two self-signed certificates located in the local certificate store that have the same subject name.
Notice that this issue should only occur when you use a self-signed certificate. Self-signed certificates should not be used in production environments.
To resolve this issue, remove the certificates with the same subject name that you don’t need using the Certificate Manager MMC snap-in and note the following.
Important
It can take up to 24 hours before the SharePoint cache will begin using the new certificate. To use the certificate now, follow the steps here to replace the certificate information in customer engagement apps.
To resolve this issue by following the steps in this article, the existing certificate cannot be expired.
Replace a certificate that has the same subject name
Use an existing or create a new and self-signed certificate. The subject name must be unique to any certificate subject names that are registered in the local certificate store.
Run the following PowerShell script against the existing certificate, or the certificate that you created in the previous step. This script will add a new certificate in customer engagement apps, which will then be replaced in a later step.
CertificateReconfiguration.ps1 -certificateFile <Private certificate file (.pfx)> -password <private-certificate-password> -updateCrm -certificateType AlternativeS2STokenIssuer -serviceAccount <serviceAccount> -storeFindType FindBySubjectDistinguishedName
- Remove the AlternativeS2STokenIssuer type certificate from the configuration database. To do this, run these PowerShell commands.
Add-PSSnapin Microsoft.Crm.PowerShell
$Certificates = Get-CrmCertificate;
$alternativecertificate = "";
foreach($cert in $Certificates)
{ if($cert.CertificateType -eq "AlternativeS2STokenIssuer") { $alternativecertificate = $cert;} }
Remove-CrmCertificate -Certificate $alternativecertificate
You receive “The remote server returned an error: (400) Bad Request” and “Register-SPAppPrincipal: The requested service, <http://wgwitsp:32843/46fbdd1305a643379b47d761334f6134/AppMng.svc> could not be activated” error messages
Applies to: SharePoint on-premises versions used with customer engagement apps.
The remote server returned an error: (400) Bad Request error message can occur after the certificate installation, such as when you run the CertificateReconfiguration.Ps1 script.
The Register-SPAppPrincipal: The requested service, <http://wgwitsp:32843/46fbdd1305a643379b47d761334f6134/AppMng.svc> could not be activated error message can occur when you grant permission to access SharePoint by running the Register-SPAppPrincipal command.
To resolve both of these errors after they occur, restart the web server where the web application is installed. More information: Start or Stop the Web Server (IIS 8)
“Something went wrong while interaction with SharePoint” error message received
Applies to: All versions when used with SharePoint Online
This error can be returned to the user who doesn’t have site permissions or the user has had permissions removed from the SharePoint site where document management is enabled. Currently, this is a known issue with SharePoint Online where the error message that is displayed to the user doesn’t indicate that the user’s permissions are not sufficient to access the site.
How to display the Enable Server-Based SharePoint Integration wizard
After server-based integration is enabled, the Enable Server-Based SharePoint Integration wizard no longer appears in the Document Management area of Settings. To display the Enable Server-Based SharePoint Integration wizard so that you can reconfigure it, you must deactivate all SharePoint sites and disable OneDrive document management.
Disable document management SharePoint sites and OneDrive
- Sign into Power Apps, select Settings (gear) on the upper right, and then select Advanced settings.
- Go to Settings > Document Management > SharePoint Sites.
- In the view selector, select Active SharePoint Sites.
- Select all SharePoint sites in the list, on the command bar select Deactivate, and then select Deactivate at the message box prompt.
- Go to Settings > Document Management > Enable OneDrive for Business.
- Clear the Enable OneDrive for Business option, and then select OK.
After all SharePoint sites are deactivated and OneDrive integration is disabled, the Enable Server-Based SharePoint Integration wizard will appear in the Document Management area.
See also
Troubleshoot SharePoint Online integration
Permissions required for document management tasks
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for