Cloud SSA Onboarding script issues

Hello!

I am listing below some common errors encountered when running Onboarding script for Cloud SSA and what their solution looks like-

  1. Error: "Could not establish trust relationship for the SSL/TLS secure channel with authority"  ' https://provisioningapi.microsoftonline.com/provisioningwebservice.svc ' " when running Onborading script

We tried below poweshell to see if we can create a  new web service proxy for the provisioning web service but it failed with same error. The credentials we entered were "tenant admin for O365"  so that did not seem to be a problem.

$cred = Get-Credential

$proxy = New-WebServiceProxy -Uri 'https://provisioningapi.microsoftonline.com/ProvisioningWebService.svc?wsdl' -Credential $cred

Could not establish trust relationship for the SSL/TLS secure channel with authority ' https://provisioningapi.microsoftonline.com/provisioningwebservice.svc '

We could browse just fine to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc  with no certificate errors

Solution:

  1. Browse to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc and do view certificates and install the chain of certificates from here
    1. Note: Need to ensure its entire chain is trusted
  2. Open up mmc console and in certificates->trusted root authorities ensure all the 3 certificates are installed. Root cert, *.microsoftonline.com and also the intermediate certificate issued to Microsoft IT SSL SHA2. Most commonly the intermediate certificate certificate is missing

 

2.   Error while Running On-Boarding script:

" Failed to call PreparePushTenant 

Exception calling "ExecuteQuery" with "0" argument(s): "The request was

aborted: The request was canceled."

Re-ran the Onboarding script-and this time it ran successfully. If its a first time configuration (with no crawled data), it is safe and easy to run the Onboarding script. The script handles cleaning up the earlier trust setup and re creation.  On our second run, the script ran through successfully

 

  1. Onboarding script issue- Getting 401 Unauthorized on PreparePushtenant

C:\CloudHybridSearchScripts-2016\Onboard-CloudHybridSearch.ps1 : Failed to

call PreparePushTenant, error was Exception calling "ExecuteQuery" with "0"

argument(s): "The remote server returned an error: (401) Unauthorized."

At line:1 char:1

+ .\Onboard-CloudHybridSearch.ps1 -PortalUrl

https://********.sharepoint.com ...

    + CategoryInfo          : OperationStopped: (Failed to call ... Unauthoriz

   ed.":String) [Write-Error], RuntimeException

    + FullyQualifiedErrorId : Failed to call PreparePushTenant, error was Exce

   ption calling "ExecuteQuery" with "0" argument(s): "The remote server retu 

  rned an error: (401) Unauthorized.",Onboard-CloudHybridSearch.ps1  

Now, for creating just cloudSSA application you need search service account but when you run the onboarding script- you need tenant global admin account

When the message Connecting to O365 appears, you will be prompted to sign in using a tenant global admin account:

Ref: https://blogs.msdn.microsoft.com/spses/2015/09/15/cloud-hybrid-search-service-application/