I created a sharepoint provider hosted app (high-trusted app) that uses an asp .net membership provider customized to use an external service. I configured the sharepoint web application to use the same membership provider. This FBA system runs, without
problems, on the two system.
So, I want that the users can log in on he app, and then it, using a clientContext, can do CRUD operation in sharepoint web application.
I use this method to create a clientContext:
TokenHelper.GetS2SClientContextWithClaimsIdentity
and into this method i create a server-to-server token that contains in particular the following claims:
//Actor claims
Issuer = 3172d9fb-4fd2-afbc-4d5c-82f2755aa934@805beba8-f6b4-1234-badf-7f2807cf7376
nameid = 00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376
trustedfordelegation = true
//Outer claims
Issuer = 00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376
nii = urn:office:idp:forms:customizedmembershipprovider
nameid = i:0#.f|customizedmembershipprovider|testusername
nid = i:0#.f|customizedmembershipprovider|testusername
identityprovider = forms
If I use the actor token the context is created, but I operate by the app and not using the user permissions. If I send the complete token (outer + actor), sharepoint return a 401 error. I opened the logs and found the following information
SPJsonWebSecurityBaseTokenHandler: Issuer name in token '3172d9fb-4fd2-afbc-4d5c-82f2755aa934@805beba8-f6b4-1234-badf-7f2807cf7376' matches the registered issuer name for trusted sts 'High Trust App'.
SPIdentityClaims: Couldn't find claim of type 'http://schemas.microsoft.com/office/2012/01/nameidissuer'
SPIdentityClaims: Couldn't find claim of type 'http://schemas.microsoft.com/office/2012/01/upn'
SPIdentityClaims: Couldn't find claim of type 'http://schemas.microsoft.com/office/2012/01/smtp'
SPIdentityClaims: Couldn't find claim of type 'http://schemas.microsoft.com/office/2012/01/sip'
SPIncomingIdentityHandler: This is not an app-only token, returning.
SPSecurityTokenServiceManager!GetProviderByName: Searching Trusted Security Token Issuers for input High Trust App
SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer 'High Trust App' is not self issuer.
SPSecurityTokenExtensions: Audience:00000003-0000-0ff1-ce00-000000000000/appdomain:80@805beba8-f6b4-1234-badf-7f2807cf7376.
SPSecurityTokenExtensions: Not Valid Before:03/05/2014 17:04:45, Valid To:03/05/2014 17:14:45.
SPSecurityTokenExtensions: Issuer:00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376.
SPSecurityTokenExtensions: Claim['nii':'urn:office:idp:forms:customizedmembershipprovider'].
SPSecurityTokenExtensions: Claim['nameid':'i:0#.f|customizedmembershipprovider|testusername'].
SPSecurityTokenExtensions: Claim['nid':'i:0#.f|customizedmembershipprovider|testusername'].
SPSecurityTokenExtensions: Claim['identityprovider':'forms'].
SPSecurityTokenExtensions: Audience:00000003-0000-0ff1-ce00-000000000000/appdomain:80@805beba8-f6b4-1234-badf-7f2807cf7376.
SPSecurityTokenExtensions: Not Valid Before:03/05/2014 17:04:45, Valid To:01/29/2016 03:44:45.
SPSecurityTokenExtensions: Issuer:3172d9fb-4fd2-afbc-4d5c-82f2755aa934@805beba8-f6b4-1234-badf-7f2807cf7376.
SPSecurityTokenExtensions: Claim['nameid':'00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376'].
SPSecurityTokenExtensions: Claim['trustedfordelegation':'true'].
Entering monitored scope (Getting Site Subscription Id). Parent [S2S] Getting token from STS and setting Thread Identity
Leaving Monitored Scope (Getting Site Subscription Id). Execution Time=0.0468
Entering monitored scope (Reading token from Cache using token signature). Parent [S2S] Getting token from STS and setting Thread Identity
Leaving Monitored Scope (Reading token from Cache using token signature). Execution Time=1.0524
EncodeProviderUserKey couldn't encode provider user key for input [originalIssuerType:'Unknown'] [originalIssuerIdentifier:'office:idp:forms:customizedmembershipprovider'] [providerUserKeyValue:'i:0#.f|customizedmembershipprovider|testusername']
Leaving Monitored Scope (Application Authentication Pipeline). Execution Time=3.9147
SPApplicationAuthenticationModule: Failed to authenticate request, unknown error. Exception details: System.ArgumentNullException: Value cannot be null. at Microsoft.SharePoint.Utilities.SPUtility.GetProviderName(String fullName)
at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.IsEncodedClaim(String value) at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaim(String value) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryBuildCacheKey(IClaimsIdentity
userIdentity, String& cacheKey) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TrySignInUserFromCache(SPIncomingTokenContext tokenContext) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TrySignInUsi...
...ngUserLoginTokenCache(SPIncomingTokenContext tokenContext) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule
fam) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object sender, EventArgs e)
Application error when access /_vti_bin/client.svc, Error=Value cannot be null. at Microsoft.SharePoint.Utilities.SPUtility.GetProviderName(String fullName) at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.IsEncodedClaim(String
value) at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaim(String value) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryBuildCacheKey(IClaimsIdentity userIdentity, String&
cacheKey) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TrySignInUserFromCache(SPIncomingTokenContext tokenContext) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TrySignInUsingUserLoginTokenCache(SPIncomingTokenContext
tokenContext) at Microsoft...
....SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule fam) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object
sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Leaving Monitored Scope (Request (POST:http://appdomain:80/_vti_bin/client.svc/ProcessQuery)). Execution Time=5.5938
SPOAuthHttpChallenge: Setting WWW-Authenticate header to:Bearer realm="805beba8-f6b4-1234-badf-7f2807cf7376",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="3172d9fb-4fd2-afbc-4d5c-82f2755aa934@805beba8-f6b4-1234-badf-7f2807cf7376,00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376"
In the log I can see that it doesn't found any IdentityClaims, but I passed the identityprovider (forms) and the provider name.
If in the Management Shell run the Get-SPSecurityTokenServiceConfig command, it returns:
SecurityTokenServicePublicUrlSuffix : /_vti_bin/spsecuritytokenserviceactive.svc
SecurityTokenServiceMetadataPublicUrlSuffix : /_vti_bin/spsecuritytokenserviceactive.svc/mex
LocalLoginProvider : SPLocalLoginProvider Name=SharePoint
TrustedLoginProviderNames : {}
TrustedLoginProviders : {}
TrustedAccessProviders : {}
TrustedSecurityTokenServices : {High Trust App}
AuthenticationPipelineClaimMappingRules : {WindowsMappingRule}
AllowMetadataOverHttp : False
UseSessionCookies : False
WindowsTokenLifetime : 10:00:00
FormsTokenLifetime : 10:00:00
CookieLifetime : 5.00:00:00
ServiceTokenLifetime : 10:00:00
MaxLogonTokenCacheItems : 250
MaxLogonTokenOptimisticCacheItems : 100000
LogonTokenCacheExpirationWindow : 00:10:00
MaxServiceTokenCacheItems : 250
MaxServiceTokenOptimisticCacheItems : 100000
ServiceTokenCacheExpirationWindow : 00:10:00
ApplicationTokenLifetime : 1.12:00:00
AuthenticatorTokenLifetime : 1.12:00:00
MinApplicationTokenCacheItems : 250
MaxApplicationTokenCacheItems : 100000
ApplicationTokenCacheExpirationWindow : 00:10:00
LoopbackTokenLifetime : 10:00:00
AllowOAuthOverHttp : True
CookieValueHandlerType : Microsoft.SharePoint.IdentityModel.SPSessionSecurityTokenCookieValue
NameIdentifier : 00000003-0000-0ff1-ce00-000000000000@805beba8-f6b4-1234-badf-7f2807cf7376
PidEnabled : True
HybridStsSelectionEnabled : True
Name : SecurityTokenServiceManager
TypeName : Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceManager
DisplayName : SecurityTokenServiceManager
Id : 772171b3-a123-6543-aa22-f6b3b219af21
Status : Online
Parent : SPSecurityTokenService Name=SecurityTokenService
Version : 2375881
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
CanSelectForBackup : True
DiskSizeRequired : 0
CanSelectForRestore : True
CanRenameOnRestore : False
I want highlight this three configuration settings
TrustedLoginProviderNames: {}
TrustedLoginProviders : {}
TrustedAccessProviders : {}
What is wrong?
Thanks