none
Error following site across farm using shared user profile service application

    Question

  • I have published my user profile service application and my search service application from one farm which hosts mysites to another farm which is just for collaboration.  I would like to be able to follow sites on the collaboration farm and they show up on the list of followed sites on the mysites farm. 

    I can follow sites on the mysites farm but I get an error when trying to follow a site on the collaboration farm.  The ULS logs on the collaboration farm has the following:

    FollowedContent.FollowItem:Exception:System.Net.WebException: The remote server returned an error: (401) Unauthorized.     at System.Net.HttpWebRequest.GetResponse()     at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()     at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)     at Microsoft.Office.Server.UserProfiles.FollowedContentProxy.Execute(String methodName)     at Microsoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal)

    But I could see in my iis logs on the mysite farm that a query was trying to take place but a was 401 returned:

    POST /personal/domain_userid/_vti_bin/client.svc/ProcessQuery - 80 - xxx.xxx.xxx.xxx - 401 2 5 109
    POST /personal/domain_userid/_vti_bin/client.svc/ProcessQuery - 80 - xxx.xxx.xxx.xxx - 401 0 0 93

    Running a packet sniffer on the mysite farm I was able to dig a little deeper on the actual error:

    {"error_description":"Invalid JWT token. Could not resolve issuer token."}

    and the response also had a header of:

    x-ms-diagnostics: 3000006;reason="Token contains invalid signature.";category="invalid_client"

    It seems like my claim is not transferring properly to the other farm.  Both farms are using windows claims with NTLM. 

    Any thoughts on next troubleshooting steps or how to resolve?  Thanks!

    Thursday, December 20, 2012 3:39 PM

Answers

  • I've finally gotten this to work...

    You will need to configure Server-to-server authentication between publishing and consuming farms...

    Make sure you have followed this guide...

    http://technet.microsoft.com/en-us/library/ff621100.aspx

    and then setup the S2S authentication...

    http://technet.microsoft.com/en-us/library/jj992595.aspx

    Also, the new OAuth protocol requires secure channel (SSL).  In Prod, you will want to enable SSL for all web apps in publishing farm and web apps in consuming farm.

    If Dev environment, you can do away by allowing OAuth over HTTP using the following powershell script:

    $c = Get-SPSecurityTokenServiceConfig

                                    $c.AllowMetadataOverHttp = $true

                                    $c.AllowOAuthOverHttp=$true

                                    $c.Update()

                                   Iisreset

    If you look closely at your ULS logs at the time of initiating content following,  you will see and error similar to this...

    FollowedContent.FollowItem:Exception:System.Net.WebException: The request was aborted: The request was canceled. ---> Microsoft.SharePoint.SPException: The requested operation requires an HTTPS (SSL) channel.  Ensure that the target endpoint address supports SSL and try again.  Target endpoint address: http://sp2013.domain.lcl:85/personal/userid/_vti_bin/client.svc/ProcessQuery   

    This shows that the OAuth requires SSL unless you have run the powershell command above...

    If you plan to use self-signed certificate to test this out, you will need to make sure the certificates are trusted as well.

    • Marked as answer by ShockSLL Wednesday, March 20, 2013 5:18 PM
    Tuesday, March 19, 2013 6:31 PM

All replies

  • Were you able to find the solution to your issue?

    I am experiencing the same issue. Thanks.

    Wednesday, February 06, 2013 2:44 PM
  • Nope not yet.  I've had to place the issue aside for a little while to work on other projects.  I'll update here if I find a solution.  My next step was to open a case with MS.  If you find a solution, please post it.  Thanks!
    Wednesday, February 06, 2013 2:58 PM
  • Hi SchockSSl,

    You will need to setup Kerberos on your service accounts. 
    http://www.microsoft.com/en-us/download/details.aspx?id=23176

    The accounts you will need to use in this instance would be your User Profile service account and also the "SharePoint System" account from the troubled farm, the one consuming the UPS service.

    Side question, is this 2 seperate domains in the same forest, 2 seperate forests(hopeless in this case) or 2 farms in the same domain?

    Regards
    Pieter
    Thursday, February 07, 2013 2:22 PM
  • Good to know.  I'll give that a try.  They are two farms within the same AD domain so this should be an easy fix.  I just now have to get the infrastructure team involved...  :)  Thanks again.  I'll update back here if I am successful.
    Thursday, February 07, 2013 2:26 PM
  • Mine is in a single domain and I tried the kerberos steps but it still doesnt work... any thoughts?
    Thursday, February 07, 2013 3:22 PM
  • Hi try these 2 articles. Forget about kerberos as I see these guys sorted it out without it :)

    Trusts between SharePoint Farms - http://purokdos.blogspot.co.at/2010/08/configuring-sharepoint-2010-trust.html

    Setup UPS steps - http://social.technet.microsoft.com/Forums/en-US/sharepointadminprevious/thread/7eb602f9-fe3d-4117-a0b0-c36e27dc8df6

    So hopefully we can sort this one out.

    Regards
    Pieter
    Thursday, February 07, 2013 3:41 PM
  • I haven't tried the Kerberos yet, but I did follow those similar instructions to setup the trusts between to farms.  And everything else seems to work correctly except the following of sites like I mentioned above. 
    • Edited by ShockSLL Thursday, February 07, 2013 4:07 PM
    Thursday, February 07, 2013 4:06 PM
  • mmm, so maybe a combination of both approaches.

    Shock is you C2WTS(Claims To Windows Token Service) active on your farms?

    Regards
    Pieter
    Friday, February 08, 2013 9:24 AM
  • Same problem here. With or without Kerberos. Only thing I haven't tried yet is using constrained delegation.

    Got a certificate farm trust in place (and confirmed working), configured S2S authentication, authentication realm, OAuth trust (New-SPTrustedSecurityTokenIssuer), and even gave my content application pool account access to my My Site content database... all without success.

    Friday, February 08, 2013 9:47 AM
  • Sorry it's been so long guys.  I have finally gotten around to trying this again.

    Bottom line, this still doesn't work for me.

    I setup two single server farms each with the SAME single SharePoint service account running everything.  This service account is trusted for delegation and the computers in each farm are also trusted for delegation.

    The SPN's were created and I can verify using kerbtray that I am connecting using kerberos to both farms.

    C2WTS is running on both farms.  All other aspects of the user profile service application seem to be working correctly in both farms (I am able to go to the correct newsfeed, skydrive pro, and sites).  

    Has anyone actually gotten this to work before?

    Tuesday, March 19, 2013 6:06 PM
  • I've finally gotten this to work...

    You will need to configure Server-to-server authentication between publishing and consuming farms...

    Make sure you have followed this guide...

    http://technet.microsoft.com/en-us/library/ff621100.aspx

    and then setup the S2S authentication...

    http://technet.microsoft.com/en-us/library/jj992595.aspx

    Also, the new OAuth protocol requires secure channel (SSL).  In Prod, you will want to enable SSL for all web apps in publishing farm and web apps in consuming farm.

    If Dev environment, you can do away by allowing OAuth over HTTP using the following powershell script:

    $c = Get-SPSecurityTokenServiceConfig

                                    $c.AllowMetadataOverHttp = $true

                                    $c.AllowOAuthOverHttp=$true

                                    $c.Update()

                                   Iisreset

    If you look closely at your ULS logs at the time of initiating content following,  you will see and error similar to this...

    FollowedContent.FollowItem:Exception:System.Net.WebException: The request was aborted: The request was canceled. ---> Microsoft.SharePoint.SPException: The requested operation requires an HTTPS (SSL) channel.  Ensure that the target endpoint address supports SSL and try again.  Target endpoint address: http://sp2013.domain.lcl:85/personal/userid/_vti_bin/client.svc/ProcessQuery   

    This shows that the OAuth requires SSL unless you have run the powershell command above...

    If you plan to use self-signed certificate to test this out, you will need to make sure the certificates are trusted as well.

    • Marked as answer by ShockSLL Wednesday, March 20, 2013 5:18 PM
    Tuesday, March 19, 2013 6:31 PM
  • Good, i'm glad you got yours working.  I got the oauthoverhttp issue worked out last year.  I am still having issues.  I'll review the links you sent and make sure I have it setup correctly.  Thanks.
    Tuesday, March 19, 2013 6:40 PM
  • Ahh, I had not setup the S2S authentication with the common realm.  Your link here:  http://technet.microsoft.com/en-us/library/jj992595.aspx helped me out.  I am getting further now, as I am getting a 403 and the following header:

    x-ms-diagnostics: 3002002; reason=App principal does not exist

    I am going to try to run this to ground. 

    Thanks!

    Tuesday, March 19, 2013 6:55 PM
  • Thanks for all of the help guys, I finally just now got it working.  I had to completely remove all of my trusts and trustedsecuritytokenissuers and start over.  I also had to manually set the registeredissuername when doing the new-sptrustedsecuritytokenissuer with the metadataendpoint.  Thanks for all of the help guys!
    Wednesday, March 20, 2013 5:18 PM
  • I'm seeing this exact same issue just with a different error message in ULS.

    Microsoft.Office.Server.UserProfiles.FollowedContentException: InternalError : Could not follow the item

    FollowedContent.FollowItem:Exception:System.Net.WebException: The remote server returned an error: (403) Forbidden.     at System.Net.HttpWebRequest.GetResponse()

    Any thoughts here?

    Thursday, June 13, 2013 7:19 PM
  • If you look at the ULS logs for that request, check the url that it is trying to connect to when it gets the 403 forbidden.  Try loading that url in the browser of the SP WFE and see if it loads correctly. 

    I ended up consolidating everything I had learned into a blog post:

    http://steve.thelineberrys.com/following-sites-across-farms-with-sharepoint-2013-mysites/

    Hopefully it might help you out as well. 

    Thursday, June 13, 2013 8:29 PM