If you ever configured server-based authentication with Dynamics 365 Online and SharePoint On-Premises, chances are you have seen the infamous Failed Authentication – 401 Unauthorized Error when you run the “Enable Server-Based SharePoint Integration’ wizard in Dynamics 365.
I have seen this error many times and in this article I have listed some of the root causes for the error.
The official Microsoft documentation which includes all the steps required for the Dynamics 365 Online and SharePoint On-Premises is below.
Missing Hot Fixes
Make sure to check and double check if you have installed all the hot fixes mentioned in the official documentation. In my case, the below hot fix was missing.
Hotfix KB2883081 for SharePoint Foundation 2013 August 12, 2014 (Sts-x-none.msp)
Missing SQL Server Permissions
Provide db_owner access for the service account on the SharePoint content database associated with the SharePoint Web Application.
Office 365 Global Admin, SharePoint Farm Admin, and Dynamics 365 System Admin Access
The User Account which runs the Wizard must have Office 365 Global Administrator role assigned, Dynamics 365 System Administrator role assigned, and included in SharePoint Farm Administrators group.
Missing App Principal Permission
Dynamics 365 application must be granted permission to the specified SharePoint site collection. Run the below PowerShell script. Note: make sure to modify the <sharepoint_base_url> and <sharepoint_site_collection_name> with your environment’s settings.
$SPOAppId = "00000003-0000-0ff1-ce00-000000000000"
$SPOContextId = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $SPOContextId + "/metadata/json/1"
$issuer = "00000007-0000-0000-c000-000000000000@" + $SPOContextId
$site = get-spsite https://<sharepoint_base_url>/sites/<sharepoint_site_collection_name>
$app = Get-SPAppPrincipal -NameIdentifier $issuer -Site $site.RootWeb
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right "FullControl"
Once you run the command, check below link to see if the permission is created.
Incorrect Alternate Access Mappings
Check the Alternate Access Mappings. Make sure you have below two entries for the given Web Application. For example, if your public URL is contoso.com and server name is dyn365apps01, then the settings should look like below.
Internal Url Zone Public URL for Zone
https://contoso.com Default https://contoso.com
http://dyn365apps01:8082 Default https://contoso.com
Dynamics 365 User’s SharePoint Email Field
Now, this one is optional. In some cases I had to configure this and in other cases, I didn’t. Different SharePoint and Dynamics 365 version combinations may be the reason.
In Dynamics 365 System User entity, there’s field called SharePoint Email Address. This is usually not exposed and empty. Edit the User form and add the SharePoint Email Address field to the form and Publish. Populate the field with the same email address as the user’s SharePoint Work Email and click Save.
Finally, run IISRESET on the SharePoint server before running the “Enable Server-Based SharePoint Integration’ wizard again.
Thank you for visiting Dyn365Apps.com.
Follow me on Twitter to get the latest news, tips and tricks and more …
Until next time…