Solution: Today I came across this issue, were the app gets the context and refresh token, but unable to get the Access Token. The issue was, Service Principal name (SPN) of the SharePoint site was deleted from azure.
As part of establishing ACS trust in an on-premise farm we need to register the web application in Azure, so that ACS trusts the web application and will be prepared to accepts request from the web application for issuing Access token. So if you have more than one web application in your SharePoint farm you need to register each web application as SPN. Say if your web application URL is https://sharepoint.contoso.com then your SPN would be "sharepoint.contoso.com" OR if you have multiple web applications in your SharePoint farm ending with say "contoso.com" then you can register wild card SPN like "*.contoso.com".
To fix the issue check if SPN is registered on Azure by running below scripts from azure powershell window:-
$SPAppPrincipalId
="00000003-0000-0ff1-ce00-000000000000"
$ACSMetaDataEndPoint
= "https://accounts.accesscontrol.windows.net/{0}/metadata/json/1"
-f $SharePointAzureTenantName
Connect-MsolService
$ExistingKeyIds
= Get-MsolServicePrincipal -AppPrincipalId $SPAppPrincipalId
$Spns
= $ExistingKeyIds.ServicePrincipalNames
To Add the SPN run below scripts from azure powershell window:-
$FarmFQDN =
"sharepoint.contoso.com"
$ServicePrincipalName
= "{0}/{1}" -f $SPAppPrincipalId, $FarmFQDN
$Spns.Add($ServicePrincipalName)
Set-MsolServicePrincipal -AppPrincipalId
$SPAppPrincipalId -ServicePrincipalNames $Spns
Note: Replace "$FarmFQDN" with SPN of your web application.
Note: Replace "$FarmFQDN" with SPN of your web application.
No comments:
Post a Comment