I am listing below some common errors encountered when running Onboarding script for Cloud SSA and what their solution looks like-
- Error: "Could not establish trust relationship for the SSL/TLS secure channel with authority" 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' " when running Onborading script
We tried below poweshell to see if we can create a new web service proxy for the provisioning web service but it failed with same error. The credentials we entered were "tenant admin for O365" so that did not seem to be a problem.
$cred = Get-Credential
$proxy = New-WebServiceProxy -Uri 'https://provisioningapi.microsoftonline.com/ProvisioningWebService.svc?wsdl' -Credential $cred
Could not establish trust relationship for the SSL/TLS secure channel with authority 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc'
We could browse just fine to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc with no certificate errors
- Browse to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc and do view certificates and install the chain of certificates from here
- Note: Need to ensure its entire chain is trusted
- Open up mmc console and in certificates->trusted root authorities ensure all the 3 certificates are installed. Root cert, *.microsoftonline.com and also the intermediate certificate issued to Microsoft IT SSL SHA2. Most commonly the intermediate certificate certificate is missing
2. Error while Running On-Boarding script:
" Failed to call PreparePushTenant
Exception calling "ExecuteQuery" with "0" argument(s): "The request was
aborted: The request was canceled."
Re-ran the Onboarding script-and this time it ran successfully. If its a first time configuration (with no crawled data), it is safe and easy to run the Onboarding script. The script handles cleaning up the earlier trust setup and re creation. On our second run, the script ran through successfully
- Onboarding script issue- Getting 401 Unauthorized on PreparePushtenant
C:\CloudHybridSearchScripts-2016\Onboard-CloudHybridSearch.ps1 : Failed to
call PreparePushTenant, error was Exception calling "ExecuteQuery" with "0"
argument(s): "The remote server returned an error: (401) Unauthorized."
At line:1 char:1
+ .\Onboard-CloudHybridSearch.ps1 -PortalUrl
+ CategoryInfo : OperationStopped: (Failed to call ... Unauthoriz
ed.":String) [Write-Error], RuntimeException
+ FullyQualifiedErrorId : Failed to call PreparePushTenant, error was Exce
ption calling "ExecuteQuery" with "0" argument(s): "The remote server retu
rned an error: (401) Unauthorized.",Onboard-CloudHybridSearch.ps1
Now, for creating just cloudSSA application you need search service account but when you run the onboarding script- you need tenant global admin account
When the message Connecting to O365 appears, you will be prompted to sign in using a tenant global admin account: