none
InfoPath calls WebService: Unauthorized, udcx file with explicit credentials/SSO RRS feed

Answers

  • Is the web service connecting to a SQL server?  You need to find exactly WHAT is unauthorized.  AT the moment, we're flying blind and guessing.  If you're connecting to a SQL server on the back-end, then go to that server and check the Application log of the Event Viewer.  You will hopefully see INFORMATION log entries (not errors) telling you that a particular account failed to authenticate.  See if you find that type of event, and see what account it shows.  It may show the app pool account for your SharePoint web app, and if it does, you'll need to give that account read access to the SQL server.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by Wayne Fan Friday, February 18, 2011 1:58 AM
    Tuesday, February 1, 2011 5:49 PM

All replies

  • This is very typical.  It's a double hop authentication issue, so we need to know exactly what all you set up.  I don't plan to read through those entire articles, so please let us know exactly what you did to rectify this.  Did you make sure Kerberos was working in your farm so that credentials can be passed to the external data source?  How did you create and configure your SSO target app?  Did you use individual or group type, and what credentials did you use for it?  I'm able to get this to work pretty easily, so we just need details to help figure it out.
    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    Tuesday, February 1, 2011 3:48 PM
  • Kerberos is not yet installed and configured! I assumed that the explicit credentials in the udcs file

    <udc:Authentication>

     <udc:UseExplicit CredentialType="NTLM">

            <udc:UserId>domain\user</udc:UserId>

                    <udc:Password>mYpAssWorD1</udc:Password>

                </udc:UseExplicit>

    </udc:Authentication>

    will be used on the SharePoint Server (1. hop) and don't need to be forwarded from the client to the 2. hop. Is this a misunderstanding?

    Client ----- SharePoint Server (1. hop) ---- WebService Server (2. hop)

    How I created the Secure Store Service:

    1. New

    2. Target Application ID and Display Name: MySSOID

    Target Application Type: Group

    Target Application Page URL: None

    Next, Next

    Target Application Administrators: domain\myuseraccount

    Members: an active directory group (that contains all users that have access in SharePoint)

    After it's created, I selected "Set Credentials" and entered a Windows User Name and Password that can be used to authenticate against the webservice.

    The authentication node in the udcx data connection file:

     <udc:Authentication>
       <udc:SSO AppId="MySSOID" CredentialType="NTLM"/>
      </udc:Authentication>

    I recreated this Secure Store App and checked the behaviour of the form - unfortunately it's the same:

    Name=Request (POST:http://spwfe/_layouts/Postback.FormServer.aspx) 
    Entering SecureStoreProviderFactory.GetDefaultSecureStoreProviderName 
    Leaving SecureStoreProviderFactory.GetDefaultSecureStoreProviderName 
    Site=/
    WcfSendRequest: RemoteAddress: 'https://spwfe:57221/9b44b152aff64bdead2dc7b6e6469f54/SecureStoreService.svc/https' Channel: 'Microsoft.Office.SecureStoreService.Server.ISecureStoreServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/2009/06/securestoreservice/ISecureStoreServiceApplication/GetUserApplication' MessageId: 'urn:uuid:a281264d-6499-4423-9795-d694a0d53df1' 
    WcfReceiveRequest: LocalAddress: 'https://spwfe.domain.local:57221/9b44b152aff64bdead2dc7b6e6469f54/SecureStoreService.svc/https' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://schemas.microsoft.com/sharepoint/2009/06/securestoreservice/ISecureStoreServiceApplication/GetUserApplication' MessageId: 'urn:uuid:a281264d-6499-4423-9795-d694a0d53df1' 
    Entering monitored scope (ExecuteWcfServerOperation) 
    Leaving Monitored Scope (ExecuteWcfServerOperation). Execution Time=3,8426671546244 
    WcfSendRequest: RemoteAddress: 'https://spwfe:57221/9b44b152aff64bdead2dc7b6e6469f54/SecureStoreService.svc/https' Channel: 'Microsoft.Office.SecureStoreService.Server.ISecureStoreServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/2009/06/securestoreservice/ISecureStoreServiceApplication/GetCredentials' MessageId: 'urn:uuid:02a518e9-5fd2-445f-97e7-8ebe70a51e41' 
    WcfReceiveRequest: LocalAddress: 'https://spwfe.domain.local:57221/9b44b152aff64bdead2dc7b6e6469f54/SecureStoreService.svc/https' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://schemas.microsoft.com/sharepoint/2009/06/securestoreservice/ISecureStoreServiceApplication/GetCredentials' MessageId: 'urn:uuid:02a518e9-5fd2-445f-97e7-8ebe70a51e41' 
    Entering monitored scope (ExecuteWcfServerOperation) 
    Leaving Monitored Scope (ExecuteWcfServerOperation). Execution Time=2,33968283678512 
    The following query failed: Item_List-ReadMultiple (User: DOMAIN\user_that_is_logged_in_sp, Form Name: MyForm, IP: , Connection Target: http://spwfe/dataconnections/mydataconnection.udcx, Request: http://spwfe/_layouts/FormServer.aspx?XsnLocation=http://spwfe/FormServerTemplates/MyForm.xsn&SaveLocation=http://spwfe/MyFormLib&Source=http://spwfe/MyFormLib/Forms/AllItems.aspx&DefaultItemOpen=1#, Form ID: urn:schemas-microsoft-com:office:infopath:MyForm:-myXSD-2011-01-29T17-15-10 Type: DataAdapterException, Exception Message: The remote server returned an error: (401) Unauthorized. The remote server returned an error: (401) Unauthorized.) 
    The StateManager is disposing and calling ReleaseLockedStates() (Count=0) 
    Leaving Monitored Scope (Request (POST:http://spwfe/_layouts/Postback.FormServer.aspx)). Execution Time=63,9039319243088 

    Tuesday, February 1, 2011 4:46 PM
  • Is the web service connecting to a SQL server?  You need to find exactly WHAT is unauthorized.  AT the moment, we're flying blind and guessing.  If you're connecting to a SQL server on the back-end, then go to that server and check the Application log of the Event Viewer.  You will hopefully see INFORMATION log entries (not errors) telling you that a particular account failed to authenticate.  See if you find that type of event, and see what account it shows.  It may show the app pool account for your SharePoint web app, and if it does, you'll need to give that account read access to the SQL server.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by Wayne Fan Friday, February 18, 2011 1:58 AM
    Tuesday, February 1, 2011 5:49 PM
  • Finally I've figured it out and configured Kerberos (I assume that it's not working without Kerberos)
    Sunday, February 20, 2011 2:55 PM
  • Could you explain on Kerberos configuration?

    Have you changed your web app authorization from NTLM to Kerberos and that solved your problem?

    What did you exactly?


    • Edited by Adis Delalic Monday, October 24, 2011 2:37 PM wording
    Monday, October 24, 2011 2:37 PM
  • Clayton

    do you have any good examples on this particular issue regarding unauthorized request via UDC and NTLM. Do I have to switch to Kerberos in order to get it work?


    • Edited by Adis Delalic Monday, October 24, 2011 2:39 PM wording
    Monday, October 24, 2011 2:39 PM
  • I tried changing my Authentication in udx file  from; <udc:Authentication><udc:SSO AppId='WWAGSSS' CredentialType='NTLM' /></udc:Authentication>

    To  and it worked!

    <udc:Authentication>

     <udc:UseExplicit CredentialType="NTLM">

            <udc:UserId>domain\user</udc:UserId>

                    <udc:Password>mYpAssWorD1</udc:Password>

                </udc:UseExplicit>

    </udc:Authentication>


    • Edited by Korir Sammy Friday, August 16, 2013 6:21 AM
    Friday, August 16, 2013 6:20 AM
  • Thanks Korir and others for your hints. I had the same issue and for me the Authentication using SSO option in the udcx file worked. I used a domain account in the SSS Target Application and on the web service side I configured it to accept windows authentication. Hope that may help someone else as well.
    Thursday, November 21, 2013 10:50 PM