Friday, April 12, 2013

SharePoint2013 Provider hosted app with ACS trust unable to retrive Access Token. Error message: 400 Bad Request. Token request failed

Scenario: Provider hosted app with ACS trust unable to retrieve Access Token. The request for access token failed with error: 400 Bad Request. Token request failed.

Solution: Today I came across this issue, were the app gets the context and refresh token, but unable to get the Access Token. The issue was, Service Principal name (SPN) of the SharePoint site was deleted from azure.

 As part of establishing ACS trust in an on-premise farm we need to register the web application in Azure, so that ACS trusts the web application and will be prepared to accepts request from the web application for issuing Access token. So if you have more than one web application in your SharePoint farm you need to register each web application as SPN. Say if your web application URL is https://sharepoint.contoso.com then your SPN would be "sharepoint.contoso.com" OR if you have multiple web applications in your SharePoint farm ending with say "contoso.com" then you can register wild card SPN like "*.contoso.com".

To fix the issue check if SPN is registered on Azure by running below scripts from azure powershell window:-

$SPAppPrincipalId ="00000003-0000-0ff1-ce00-000000000000"
$ACSMetaDataEndPoint = "https://accounts.accesscontrol.windows.net/{0}/metadata/json/1" -f $SharePointAzureTenantName
Connect-MsolService
$ExistingKeyIds = Get-MsolServicePrincipal -AppPrincipalId $SPAppPrincipalId
$Spns = $ExistingKeyIds.ServicePrincipalNames
 
To Add the SPN run below scripts from azure powershell window:-
$FarmFQDN = "sharepoint.contoso.com"
$ServicePrincipalName = "{0}/{1}" -f $SPAppPrincipalId, $FarmFQDN
$Spns.Add($ServicePrincipalName)
  Set-MsolServicePrincipal -AppPrincipalId $SPAppPrincipalId -ServicePrincipalNames $Spns

Note: Replace "$FarmFQDN" with SPN of your web application.