Forum Discussion
Third party oidc authentication with SPSE failed
Following the new https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/oidc-1-0-authentication , I managed configuring oidc authenticate in SPSE with ADFS. I then tried third ...
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (POST:https://oidctest.contoso.local/_layouts/15/Authenticate.aspx?Source=%252F) b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwhz Medium SPRequestModule.BeginRequestHandler End, SP Build Version: '16.0.14326.20602' b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brd4 Medium SPContextCookie : Using full host domain for cookie. CookieName: 'nSGt'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brdr Medium SPCryptoContextCookie : Initial Secondary certificate is null and we did not receive a secondary certificate thumbprint. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brc8 Medium SPNonceCookie : The Identifier is set successfully. Identifier: '', NonceToSendToIdentityProvider: '1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5-7EADB364F29A63E9C52B0B4B33A094168CDC8354D8D684DF522F06FD78AD4188'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Claims Authentication 9w647 Medium Using input cookie name. CookieName: 'nSGt-1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brbv Medium SPNonceCookie : Successfully read nonce cookie. Version: '0', Seed: '9DA2E444C81E8DA541AC5FEC919C82198F7FD7BDD6403B93', Identifier: '1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brc8 Medium SPNonceCookie : The Identifier is set successfully. Identifier: '1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5', NonceToSendToIdentityProvider: '1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5-7EADB364F29A63E9C52B0B4B33A094168CDC8354D8D684DF522F06FD78AD4188'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Claims Authentication 9w647 Medium Using input cookie name. CookieName: 'nSGt-1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Authentication Authorization deffe Medium The browser does support SameSite at revision 3 of RFC6265. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Nonce Cookie 9brbj Medium SPNonceCookie : Deleted nonce cookie if present. Identifier: '1052C7C0B64939E9AD4ED9E0AE79DA9377E650180CDEE9B5'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Security Token Handler 8p0r7 Medium Audience GUID matches trusted login provider default client identifier. Audience: 'oidctest', provider Default Identifier: 'oidctest', provider Uri: ''. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.33 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Topology aeayb Medium SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Security.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:b7edff6c-0098-4e63-adcb-f52ab2636b2a' b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Topology aeax9 Medium SecurityTokenServiceReceiveRequest: LocalAddress: 'http://sp04.sp.local:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:b7edff6c-0098-4e63-adcb-f52ab2636b2a' b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Monitoring nasq Medium Entering Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Parent=None b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Security Token Service 9w6kv Medium STS Call: Creating Claims Operations Scope for Applies To Uri: 'https://oidctest.contoso.local/'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Claims Authentication a6oo7 Medium Created claims operation context from uri. ContextUri: 'https://oidctest.contoso.local/', Source: 'SiteWithoutSiteSubscription'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Security Token Service 9w6k3 Medium Creating SPSecurityTokenRequestContextV2 object for security token service Issue request. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Security Token Service 9w6k0 Monitorable STS Call: Failed to issue new security token. Exception: 'System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature. at Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token) at Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(SecurityToken token) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2..ctor(ClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPSecurityTokenRequestTypeV2 overrideRequestType) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenServiceV2.Issue(ClaimsPrincipal principal, RequestSecurityToken request)'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0x8518) 0xF464 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope: (ExecuteSecurityTokenServiceOperationServer) Execution Time=3.2962; CPU Milliseconds=3; SQL Query Count=0; Parent=None b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Security Token Service Caller btgia High SPSecurityContext: Request for security token failed with exception. Exception: 'System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.34 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Claims Authentication 9w636 Unexpected Claims Saml Sign-In: Could not get local token for trusted third party token. FaultException: 'System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments)'. Stack: ' at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments)'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwhw Medium SPRequestModule.ErrorAppHandler Begin b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation General 8nca Medium Application error when access /_layouts/15/Authenticate.aspx, Error=The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs eventArgs) at System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnAuthenticateRequest(Object sender, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Runtime tkau Unexpected System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs eventArgs) at System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnAuthenticateRequest(Object sender, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation General ajlz0 High Getting Error Message for Exception System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs eventArgs) at System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnAuthenticateRequest(Object sender, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation General aat87 Monitorable b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation General agxkz High calling GetCurrentGenericSetupPath for a versioned path: TEMPLATE\LAYOUTS b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Application Authentication 9s97c Medium SPApplicationAuthenticationModuleV2.IsBearerChallengeRequested: Return 'False'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Application Authentication 9s97n Medium The request isn't made to a page which allows NeverAuth to be specified in the query string b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Claims Authentication crpqx Medium STS setting for SuppressModernAuthForOfficeClients:'True'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Application Authentication 9s976 Medium IsClaimsTrustedAuthenticationOnly: 'False', IsOfficeClientIDCRLRequest: 'False', HasSPTrustedSecurityTokenIssuer: 'False', ForceIdcrlForOfficeClients: 'True'. b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwh5 Medium SPRequestModule.PreSendRequestHeaders End b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwhx Medium SPRequestModule.ErrorAppHandler End b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwia Medium SPRequestModule.PostLogRequestHandler Begin b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwib Medium SPRequestModule.PostLogRequestHandler End b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwic Medium SPRequestModule.EndRequestHandler Begin b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Micro Trace uls4 Medium Micro Trace Tags: 0 avwhy,0 nasq,1 avwhz,0 9brd4,0 9brdr,0 9brc8,0 9w647,0 9brbv,0 9brc8,0 9w647,0 deffe,0 9brbj,2 8p0r7,1 aeayb,12 btgia,0 9w636,0 avwhw,0 8nca,0 tkau,0 ajlz0,1 aat87,2 agb9s,0 agxkz,1 9s97c,0 9s97n,0 crpqx,0 9s976,0 avwh5,0 avwhx,0 avwia,0 avwib,0 avwic b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Runtime aoxsq Medium Sending HTTP response 200 for HTTP POST request b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Unified Audit bm7sm High SPRequestModule::CreatePageViewedAuditEntry: Required parameters not set properly,exiting creating PageViewed SPUnifiedAuditEntry b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope: (Request (POST:https://oidctest.contoso.local/_layouts/15/Authenticate.aspx?Source=%252F)) Execution Time=26.8099; CPU Milliseconds=16; SQL Query Count=0; Parent=None b2ec29a0-34e1-808c-08b8-fecdfcecba7e
03.15.2022 11:07:41.35 w3wp.exe (0xF50C) 0x11814 SharePoint Foundation Asp Runtime avwid Medium SPRequestModule.EndRequestHandler End b2ec29a0-34e1-808c-08b8-fecdfcecba7e
Steve Zhang
Microsoft
MicrosoftThanks Hasan,
By looking at the log, your SharePoint version(16.0.14326.20620) is not latest, our fix is in March PU.
Could you please have a try with March PU? You can get latest PU from: https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates
By looking at the log, your SharePoint version(16.0.14326.20620) is not latest, our fix is in March PU.
Could you please have a try with March PU? You can get latest PU from: https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates
- TroyStarr
Hi ictotum, you can open a support case by going to https://support.microsoft.com/contactus, then clicking Show expanded list of products, then clicking SharePoint Server. The cost to open a support case will depend on the type of support contract your organization has with Microsoft.
- how's that? Is it free? How can I open it? Thanks
- Steve Zhang
- It seems you can help me for an issue with another third party... Forgerock. Do I have to open a new discussion? I try to list here... SE configured with 3 data: 1) claim to map (EmailAddress), 2) metadata URL (has everything there), 3) client ID. I don't know if the auth provider team should do something else, they told me the claim they treat is "email", not "EmailAddress", maybe that's the issue? The authentication error, in SharePoint, is... the claim is void or not recognized. LOGS > "No identity provider claim on the identity..." "Initialized session revocation members. Auth instant: 'null'. IAT: 'null'. ValidFrom: 'null'. Operation type: '' ..." "Initialize session attributes: Did not find any. Current value: 'None'..." "Trusted login provider is not sending configured input identity claim type..." "Throwing fault exception because there is no identity claim..." "An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm"
Thanks so much jinzhong he! Knowing you got it working helped me get to the bottom of our issue.
On our keycloak instances (latest 17.0.0 quarkus version), in a new test realm, the default for "Access Token Lifespan" is set to 5 minutes. (For reference, on ADFS, this same value defaults to 60 minutes).
This is all fine usually, as many apps, (excluding sharepoint), we've tested on both keycloak and adfs work fine with either IdP with default timeouts.
But sharepoint has an odd behavior, in that by default: "when there are less than 10 minutes left in the lifetime SharePoint considers it expired" (quote from https://sharepoint.stackexchange.com/users/3338/infotekka at https://sharepoint.stackexchange.com/questions/79864/sharepoint-2013-adfs-login-local-token-cache-always-expired )
The ULS logs confirmed the issue after sso login: "Found matching token cache entry but it's token is expired."
So sharepoint was rejecting the token as expired immediately after the successful SSO login from keycloak had completed. Adjusting the keycloak realm settings for "Access Token Lifespan" to 60 minutes up from the default 5 minutes fixed our issue. Login to sharepoint is now working correctly against keycloak.
- The client scopes were the default(emial, profile, etc), The IdentifierClaim I used on the sharepoint side was the UPN, and on the keycloak side, I mapped username to upn.
Could you list what client scopes and mappers you've configured in keycloak to get this to work? and what claim type you've configured on the sharepoint side to recieve those claims?
So far i've been unsuccessful in getting keycloak to work with SPSE, although now the token is validating correctly (per the ULS logs) since the March CU, so appears i'm missing some critical claims for sharepoint to grant access.
Currently I'm attempting to use "email" as the claim on both sides to match.
benjamin8733 see the attached screenshot.
You need to create token mappers for username mapping.
Would you mind posting a screenshot or an export of your sharepoint client config inside of keycloak now that you've got it working? Or even just an example access or id token that has the claims you added to get it working?
Thanks for anything you can provide to help us out!
- The March PU worked. Thanks.
- Steve ZhangIt's good to know the fix really works. For the page js errors, yes, we can start another new discussion with new post.
- Hi again Steve,
As you suggest, after march update, keycloak and SP-SE integration worked. But this time portal pages (modern experience sites) throw js errors. i think i have to start a new discussion. Thanks again. - Hi Steve,
Thanks for the quick reply. i will update the farm asap. i'll get informed you after the upgrade.
