Hybrid Search: Inbound Query fails with 401


Last year I came across an issue where Inbound query was failing consistently.

Issue applies to: April 2014 Cumulative Update or a later cumulative update forr SharePoint 2013 on-premises farm.

When doing an Inbound Search ( i.e You search from SPO and expect to get results from SPO  and Onprem) you see the query fails with below error message:

1¾System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute() at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate() at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest() at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery() at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.RetrieveDataFromRemoteServer(Object unused) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

To investigate further I took a look at the Onprem and SPO side of logs: If you are interested in the stack trace look below or can skip to solution section 🙂

Logs from OnPrem:

 

08/07/2014 13:39:07.48        w3wp.exe     0x08A4        SharePoint Portal Server        User Profiles        ae0sx        Unexpected        Error trying to search in the UPA. The exception message is 'System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: value     at Microsoft.SharePoint.Administration.Claims.SPIdentityProviders.GetIdentityProviderType(String value)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.SearchUsingNameIdOrThrow(UserProfileManager upManager, String nameId, String nameIdIssuer)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager upManager, IEnumerable`1 identityClaims)'        a53bac9c-90c4-0075-b18e-d8c02dfc8e41

  

08/07/2014 13:39:07.48        w3wp.exe    0x08A4        SharePoint Portal Server        User Profiles        ae0su        High        The set of claims could not be mapped to a single user identity. Exception Exception of type 'System.ArgumentException' was thrown.  Parameter name: value has occured.        a53bac9c-90c4-0075-b18e-d8c02dfc8e41

  

08/07/2014 13:39:07.48        w3wp.exe    0x08A4        SharePoint Foundation        Claims Authentication        ae0tc        High        The registered mappered failed to resolve to one identity claim. Exception: System.InvalidOperationException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: value ---> System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: value     at Microsoft.SharePoint.Administration.Claims.SPIdentityProviders.GetIdentityProviderType(String value)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.SearchUsingNameIdOrThrow(UserProfileManager upManager, String nameId, String nameIdIssuer)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager upManager, IEnumerable`1 identityClaims)     --- End of inner exception stack trace ---     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri contextUri, List`1 claims)        a53bac9c-90c4-0075-b18e-d8c02dfc8e41

  

08/07/2014 13:39:07.48        w3wp.exe       0x08A4        SharePoint Foundation        Claims Authentication        af3zp        Unexpected        STS Call Claims Saml: Problem getting output claims identity. Exception: 'System.InvalidOperationException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: value ---> System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.  Parameter name: value     at Microsoft.SharePoint.Administration.Claims.SPIdentityProviders.GetIdentityProviderType(String value)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.SearchUsingNameIdOrThrow(UserProfileManager upManager, String nameId, String nameIdIssuer)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager upManager, IEnumerable`1 identityClaims)     --- End of inner exception stack trace ---     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList(UserProfileManager upManager, IEnumerable`1 identityClaims)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.<>c__DisplayClass2.<GetMappedIdentityClaim>b__0()     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetMappedIdentityClaim(Uri context, IEnumerable`1 identityClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri contextUri, List`1 claims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)     at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)'.        a53bac9c-90c4-0075-b18e-d8c02dfc8e41

  

Logs from SPO: ( Currently only MS can pull these logs) 

 

RemoteSharepointProducerSystem.Net.WebException: The remote server returned an error: (401) Unauthorized.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()

at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()

at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()

at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()

at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.RetrieveDataFromRemoteServer(Object unused)

at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

ExecuteFlowInternal Flow:Microsoft.RemoteSharepointFlow EvaluationException: Microsoft.Office.Server.Search.Query.RemoteSharepointException: 1<=>System.Net.WebException: The remote server returned an error: (401) Unauthorized.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()

at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()

at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()

at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()

at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.RetrieveDataFromRemoteServer(Object unused)

at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

at Microsoft.Ceres.Evaluation.Processing.Producers.ProducerRecordSetSink.Put(IRecord record)

at Microsoft.Ceres.Evaluation.Engine.ErrorHandling.HandleExceptionRecordSetSink.DoWithoutTryCatch(IRecord record)

at Microsoft.Ceres.Evaluation.Processing.Producers.ProducerRecordSetSink.PushToOutput()

at Microsoft.Ceres.Evaluation.Processing.Producers.ProducerRecordSetSink.Put(IRecord record)

at Microsoft.Ceres.Evaluation.Engine.Aborting.AbortableRecordSetSink.Put(IRecord record)

at Microsoft.Ceres.Evaluation.Engine.ErrorHandling.HandleExceptionRecordSetSink.DoWithTryCatch(IRecord record)

 

 

 Solution:

$config = Get-SPSecurityTokenServiceConfig

$config.AuthenticationPipelineClaimMappingRules.AddIdentityProviderNameMappingRule("OrgId Rule", [Microsoft.SharePoint.Administration.Claims.SPIdentityProviderTypes]::Forms, "membership", "urn:federation:microsoftonline")

$config.Update()

Do an IISRESET after this.

Note: Steps need to be executed only on any one SP onprem server.

 

 

 

Comments (3)

  1. Abhishek says:

    $config.AuthenticationPipelineClaimMappingRules.AddIdentityProviderNameMappingRule is just the name of the method, how to determine what parameters need to be passed specific to environment?

    1. Shruti-MSFT says:

      Sorry for the delayed response Abhishek. But here are the parameters per msdn-

      public SPAuthenticationPipelineClaimMapping AddIdentityProviderNameMappingRule(
      string ruleName,
      string identityProviderType,
      string identityProviderIdentifier,
      string mappedNameIdIssuerClaimValue
      )

      https://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.applicationservices.spauthenticationpipelineclaimmappingcollection.addidentityprovidernamemappingrule.aspx

  2. Abhishek says:

    Hi, Great Solution and it worked immediately. Thanks alot mate

Skip to main content