Rajeev's Blog

Never Give-up cause, Everythings Gonna be Alright!

InfoPath -SharePoint 2007/2010/2013 Configuration and troubleshooting

Update on SharePoint Online – InfoPath forms would work perfectly fine for the following web services without going through any of the following steps: (We are experiencing some issues withe FEW SharePoint Online Tenants. If you are one of them, please hold, we are working on this and expected to have a fix soon).

Support kb (http://support.microsoft.com/en-in/kb/2674193) still holds good when you are dealing with other web services. The following web service calls are converted into OM calls and that’s how we are bypassing the DOUBLE HOP issue. I tried using UserProfileService.asmx without having UDCX setup and it works fine. Only requirement is to have the users imported to UserProfiles. 

  • lists.asmx
  • CheckOutFile
  • CheckInFile
  • usergroup.asmx
  • GetUserCollectionFromGroup
  • GetUserCollectionFromSite
  • GetGroupCollectionFromWeb
  • UserProfileService.asmx
  • GetUserProfileByName
  • GetUserPropertyByAccountName
  • GetCommonManager
  • GetUserMemberships
  • GetCommonMemberships

==============================================BELOW CONTENT STILL HOLDS GOOD FOR SHAREPOINT 2010/2013===================================================

SharePoint 2010 has both CLASSIC and CLAIMS based authentication and SharePoint 2013 has CLAIMS mode only (from UI)

Reference: http://technet.microsoft.com/en-s/library/cc262350(v=office.14).aspx#section2

As InfoPath forms won’t work on a CLAIMS based web application, we have to follow the below steps to get it working:

This holds good for SharePoint Server 2010 and SharePoint Server 2013

Note: Screenshots are based on SharePoint Server 2013 but the same applies to SharePoint Server 2010 too.

We need User Profile Service Application to be configured and Secure Store Service Application to be created before following the below steps:

Reference: http://technet.microsoft.com/en-us/library/jj219646(v=office.15).aspx

Step 1:

* Create a new Secure Store Service application "APPID" (Say UPASSS).

* Update the fields as per the below picture: (Ticket Timeout depends on org. requirements)

* If you don’t choose Target Application Type as Group Ticket, none of the users apart from the user whose credential have been updated in the SSS APPID will be able to access the InfoPath form. This option "Group Ticket" enable us to specify ticket redeemers who usually be domain users. If you don’t select this option "IP will give you a descriptive error"

Reference: http://msdn.microsoft.com/en-us/library/ee554863(v=office.14).aspx

* Update the secure store administrator/membership details as per the below screen shot: (again as per your org. requirement)

* Now, you have setup credential for the APPID (UPASSS) which you created above. This will be used to impersonate the user credentials as shown below:

(Windows username (Domain\User) and the password should be able to access the http://Site/_vti_bin/userprofileservice.asmx of the respective site).

We have completed setting up the Secure Store Service "APPID"

* Make sure that the accounts provided for the Secure Store Service have privileges to retrieve data through User Profile Service Application

Step 2:

* Create a blank new InfoPath form; add a data connection (http://site/_vti_bin/userprofileservice.asmx) using GetUserProfilebyName by UNCHECKING “Automatically retrieve data when form is opened”

* Decide where you want to store your universal data connection (UDC) file.

More about UDC: http://msdn.microsoft.com/en-us/library/office/ms772017(v=office.14).aspx

* Convert the above created Data Connection (GetUserProfilebyName) as an UDCX file by selecting Relative to site collection or centrally managed and save it.

If you chose Relative to Site collection, you have to create a Data Connection library and chose this library while converting the UDCX file above. If you select Centrally Managed, you need to save the UDCX file and upload to the SharePoint Central Admin.

Data Connection Library:  http://msdn.microsoft.com/en-us/library/office/ms772101(v=office.14).aspx

Chose the correct location to save the UDCX files: http://technet.microsoft.com/en-us/library/ff621104(v=office.14).aspx

* Download the copy of the UDCX file and edit it as shown below:

Working with Data Connections: http://msdn.microsoft.com/en-us/library/office/ms772364(v=office.14).aspx

<udc:Authentication><udc:SSO AppId=’UPASSA’ CredentialType=’NTLM’ /> </udc:Authentication>

AppID is the Secure Store Service AppId which was created on Step 1. Credential types explained here: http://msdn.microsoft.com/en-us/library/office/ms772017(v=office.14).aspx#sectionSection1

* Make sure to upload the UDCX file back to the CA or Data connection library and approve it.

* Now go to InfoPath form which you have started designing>Data>Form Load rule, add the following 2 rules:

 

 

 

 

Username() function is available in SPS 2010 only post http://support.microsoft.com/kb/2516485

We are all set to use the form now on claims authentication:

* Design your InfoPath form to pull the user profile information as you wish and publish it to the same site (site collection as we are using relative data connection).

Troubleshooting:

You are likely to face the below issues if you look at the ULS trace with the correlation ID:

 * A certificate validation operation took ******.**** milliseconds and has exceeded the execution time threshold.

Add all Sharepoint Root Authority certificates and the web application SSL certificates (complete Chain) into the Trusted Certification Authorities store on all SharePoint servers and the SharePoint CA.

$SPCert = (Get-SPCertificateAuthority).RootCertificate $SPCert.Export(“Cert”) | Set-Content C:\SPCert.cer –Encoding Byte

If internet access is disabled, add "127.0.0.1 crl.microsoft.com" to the HOSTS file on each server

Setup DisableLoopbackCheck value to 1 on all the WFEs http://support.microsoft.com/kb/896861);

Add HOST file entry on each WFE in the farm pointing to itself to avoid the double hop issue. This applies to all the web applications that host the InfoPath form services and are making use of the web services.

 
Ex: Site: http://site.contoso.com 
Host entry: 127.0.0.1 site.contoso.com

* Data adapter failed during OnLoad: The remote server returned an error: (500) Internal    Server Error. A user with the account name system could not be found. —> An error was encountered while retrieving the user profile. UserCannotBeFoundAn error was encountered while retrieving the user profile.

This happens when the account that you are trying to use is a SYSTEM ACCOUNT (due to name space query) / an account that cannot be found.

* The following data connection (GetUserProfileByName) has exceeded the maximum configured time limit. This threshold can be configured by using the SPIPFormsService -MaxDataConnectionRoundTrip PowerShell commandlet. This error is misleading sometimes as it can occur if we have proxy in IE or web.config

 The following query failed: GetUserProfileByName (User: 0#.w|rajeev\administrator, Form Name: Repro-sp2013, IP: , Connection Target: http://sp2013-1r/DCL/GetUserProfileByName.udcx, Request: http://sp2013-1r/_layouts/15/FormServer.aspx?XsnLocation=http://sp2013-1r/Reprosp2013/Forms/template.xsn&SaveLocation=http://sp2013-1r/Reprosp2013&ClientInstalled=false&DefaultItemOpen=1&Source=http://sp2013-1r/Reprosp2013/Forms/AllItems.aspx, Form ID: urn:schemas-microsoft-com:office:infopath:Repro-sp2013:-myXSD-2013-07-09T06-28-47 Type: DataAdapterException, Exception Message: Authentication information in the UDC file could not be used for this connection because user forms are not allowed to use UDC authentication. To change this settings, use the InfoPath Forms Services configuration page in SharePoint Central Admin.)

Both the above settings have to be changed on the CA site. Go to the Configure InfoPath Forms Services section and enable Allow user form templates to use authentication information contained in data connection files and tweak the Data Connection Timeouts

* InfoPath also depends on the State Service and you may see the below error while opening the form: 

 Form render failed because the user's session was closed StackTrace:at Microsoft.Office.InfoPath.Server.Controls.XmlFormView.RenderForm(HtmlTextWriter writer)at Microsoft.Office.InfoPath.Server.Controls.XmlFormView.RenderContents(HtmlTextWriter writer

Please check the state service database and make sure that the InfoPath is able to use it. You can get the specific error details by getting verbose ULS logs.

 

Explained: http://technet.microsoft.com/en-us/library/ee704548(v=office.14).aspx

* Form load issues (performance) is mostly due to the amount of data retrieved by the data connection from SharePoint while the form is opened (in Browser or client). We’ve made enough enhancements in SharePoint 2013 and are still making changes to enhance performance. So, speaking from SharePoint stand point, we need to be within the software guidelines: http://technet.microsoft.com/en-us/library/cc262787(v=office.15).aspx

 

* InfoPath Forms Services do not work when you switch to a claims-based Web application that uses forms-based authentication or Security Assertion Markup Language (SAML) security tokens. These features do not work because claims-based authentication does not generate a Windows security token, which is necessary for these features. reference: http://technet.microsoft.com/en-us/library/hh706161.aspx 

SAML include – ADFS, Site Minder, Oracle, AD LDS, Okta etc.,.

* We could get UserProfileService.asmx working with SAML ONLY when you are using the InfoPath Rich Client (Filler) but doesn't work when you are using BROWSER based forms. To get this working in a web app which is using SAML authentication, you have to import users in the UserProfile Service Application with the same format.

Ex: If you search for a user in your userprofile service application, you usually see users account name as domain\user but to get this working, make sure to create a new sync connection with you SAML Authentication and set the CLAIM USER IDENTIFIER to your SAML in user properties.

Ps: Always try with a user account to test the behavior.