locked
401 error when creating group site with "Daemon or Server Application to Web API" authentication scenario RRS feed

  • Question

  • Hi, everybody!

    I'm using client_id and secret key for request authentication.

    Authentication process ends successfully, here is encoded JWT:B

    {
     typ: "JWT",
     alg: "RS256",
     x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
     kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
    }.
    {
     aud: "https://dnevnikru.sharepoint.com/",
     iss: "https://sts.windows.net/b89ca51f-0355-4975-9bf7-93b139ce67d0/",
     iat: 1470905849,
     nbf: 1470905849,
     exp: 1470909749,
     app_displayname: "OneNoteDeamonTest",
     appid: "8e00f5e8-0f52-43f5-b16b-109e60b702b4",
     appidacr: "1",
     e_exp: 7200,
     idp: "https://sts.windows.net/b89ca51f-0355-4975-9bf7-93b139ce67d0/",
     oid: "08d2772c-fed7-4999-878f-7a2a598f88d7",
     sub: "08d2772c-fed7-4999-878f-7a2a598f88d7",
     tid: "b89ca51f-0355-4975-9bf7-93b139ce67d0",
     ver: "1.0"

    }.

    permissions are grunted:

    I'm trying create group site using following request:

    POST https://dnevnikru.sharepoint.com/_api/GroupSiteManager/Create?groupId=%27fa79209c-52eb-463d-8c5f-467a57e46a4a%27 HTTP/1.1
    Authorization: Bearer <valid token>
    Accept: application/json
    Content-Type: application/json; charset=utf-8
    Host: dnevnikru.sharepoint.com
    Content-Length: 0


    HTTP/1.1 401 Unauthorized
    Server: Microsoft-IIS/8.5
    x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client"
    SPRequestGuid: 3db0989d-9079-3000-af87-670161495f62
    request-id: 3db0989d-9079-3000-af87-670161495f62
    Strict-Transport-Security: max-age=31536000
    X-FRAME-OPTIONS: SAMEORIGIN
    SPRequestDuration: 60
    SPIisLatency: 2
    X-Powered-By: ASP.NET
    MicrosoftSharePointTeamServices: 16.0.0.5528
    X-Content-Type-Options: nosniff
    X-MS-InvokeApp: 1; RequireReadOnly
    P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
    WWW-Authenticate: Bearer realm="b89ca51f-0355-4975-9bf7-93b139ce67d0",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b",authorization_uri="https://login.windows.net/common/oauth2/authorize"
    Date: Thu, 11 Aug 2016 09:02:51 GMT
    Content-Length: 453

    and the error message:

    {"error_description":"The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."}

    What am i doing wrong? The same request with user access token (tenant admin) is OK.

    Thanks in advance for any help.


    Thursday, August 11, 2016 9:32 AM

Answers

All replies

  • Hi Nikolay,

    Did you mean you want to create a site in SharePoint with "Daemon or Server Application to Web API"?

    And did you use client credential flow for acquiring an access token?

    Please provide the internal error message for further research.

    Best Regards,

    Victoria

    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, August 12, 2016 6:59 AM
  • Hi, Victoria!
    Did you mean you want to create a site in SharePoint with "Daemon or Server Application to Web API"?
    I meant this: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#daemon-or-server-application-to-web-api

    And did you use client credential flow for acquiring an access token?

    I didn't. I used application's credentials: client_id and secret_key.

    Please provide the internal error message for further research.

    I can't because it's SharePoint online (SaaS).
    Friday, August 12, 2016 7:26 AM
  • Hi Nikolay,

    Sounds you are using the wrong Application type. "Daemon or Server Application to Web API" means the application only authentication (OAuth) for Azure AD application. To consume SharePoint Online REST API, your app should be SharePoint provider-hosted add-in. Here are some articles for your reference:

    Get started creating provider-hosted SharePoint Add-ins
    https://msdn.microsoft.com/en-us/library/office/fp142381.aspx?f=255&MSPPError=-2147217396

    Complete basic operations using SharePoint 2013 REST endpoints
    https://msdn.microsoft.com/en-us/library/office/jj164022.aspx

    Regarding the APIs available for Azure AD applications, please refer to Office 365 platform API overview:
    https://msdn.microsoft.com/en-us/office/office365/howto/platform-development-overview?f=255&MSPPError=-2147217396

    Please note that the common SharePoint APIs are not included in Office 365 platform API.

    Thanks,
    Reken Liu


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 18, 2016 7:30 AM