Skip Ribbon Commands Skip to main content

SharePoint Happenings

Help (new window)
Sign In
Navigate Up
Get Microsoft Silverlight
Install Silverlight plugin for a richer experience...
Blog Home |  Freeware |  Speaking |  About me

Claims error when publishing service applications in SharePoint 2010


So – the other day I was trying to publish service applications in SharePoint 2010 from a provider farm to a consumer farm. I did all the steps I knew possible, but was stilling getting errors in the ULS and in the browser was getting the famed "Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details."

 

The first thing to say is go to the ULS for BETTER error, in which case I was getting:

 

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    SPSecurityTokenService.Issue() failed: System.TypeInitializationException: The type initializer for '<Module>' threw an exception. ---> System.TypeInitializationException: The type initializer for '<Module>' threw an exception. ---> <CrtImplementationDetails>.ModuleLoadException: The C++ module failed to load while attempting to initialize the default appdomain. ---> System.Runtime.InteropServices.COMException (0x800703FA): Illegal operation attempted on a registry key that has been marked for deletion. (Exception from HRESULT: 0x800703FA) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) at <CrtImplementationDetails>.GetDefaultDomain() at <CrtImplementationDetails>.DoCallBackInDefaultDomain(IntPtr function, Void* cookie) ...    

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ... at <CrtImplementationDetails>.LanguageSupport._Initialize(LanguageSupport* ) at <CrtImplementationDetails>.LanguageSupport.Initialize(LanguageSupport* ) --- End of inner exception stack trace --- at <CrtImplementationDetails>.LanguageSupport.Initialize(LanguageSupport* ) at .cctor() --- End of inner exception stack trace --- at <CrtImplementationDetails>.ThrowModuleLoadException(String , Exception ) at <CrtImplementationDetails>.LanguageSupport.Initialize(LanguageSupport* ) at .cctor() --- End of inner exception stack trace --- at System.Runtime.CompilerServices.RuntimeHelpers._RunClassConstructor(IntPtr type) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) ...    

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ... at Microsoft.SharePoint.Administration.SPAutoSerializingObject.GetInstanceFromType(Type type, String typename) at Microsoft.SharePoint.Administration.SPPersistedObject.GetInstance(XmlNode xml, Guid classId, Boolean bResolveMissingTypes) at Microsoft.SharePoint.Administration.SPFileSystemCache.FetchObjectFromFileSystem(Guid id) at Microsoft.SharePoint.Administration.SPFileSystemCache.GetValue(Guid id) at Microsoft.SharePoint.Administration.SPCache`2.get_Item(K key) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid id, Boolean checkInMemoryCache, Boolean checkFileSystemCache) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.Microsoft.SharePoint.Administration.ISPPersistedStoreProvider.GetObject(Guid id) at Microsoft.Sha...    

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...rePoint.Administration.SPPersistedObjectCollection`1.get_Item(Guid objId) at Microsoft.SharePoint.Administration.SPPersistedObjectCollection`1.<GetEnumeratorImpl>d__0.MoveNext() at Microsoft.SharePoint.Administration.SPPersistedObjectCollection`1.Enumerator`1.MoveNext() at Microsoft.SharePoint.Administration.SPWebApplication.LookupContextWebApplication() at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(SPFarm farm, Uri requestUri, Boolean fallbackToHttpContext, SPAlternateUrl& alternateUrl, SPSiteLookupInfo& hostHeaderSiteInfo, Boolean& lookupRequiredContext) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetWebApplicationAndZoneForContext(Uri context, SPWebApplication& webApplication, Nullable`1& zone) at Microsoft.SharePoint.Adm...    

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...inistration.Claims.SPClaimProviderManager.GetClaimProvidersForContext(Uri context, SPClaimProviderOperationOptions mode, IEnumerable`1 providerNames) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderOperations.ClaimsForEntity(Uri context, SPClaimProviderOperationOptions mode, String[] providerNames, SPClaim entity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentClaimsIdentity(IClaimsIdentity identity, SPClaim identityClaim, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) ...    

SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)    

SharePoint Foundation     Claims Authentication     fsq7    High     Request for security token failed with exception: System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTr...    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

SharePoint Foundation     Claims Authentication     fsq7    High     ...ustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

SharePoint Foundation     Claims Authentication     8306    Critical    An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs..    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

SharePoint Foundation     Topology     84cx    High     ServiceApplicationConnect.aspx: Unrecognized url. Exception: System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.W...    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

SharePoint Foundation     Topology     84cx    High     ...STrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) at Microsoft.SharePoint.SPSecurityContext.<>c__DisplayClass7.<GetProcessSecurityTokenForServiceContext>b__6() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurityContext.GetProcessSecurityTokenForServiceContext() at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForServiceContext(Uri contextUri) at Microsoft.SharePoint.SPChannelFactoryOperations.InternalCreateChannelActingAsLoggedOnUser[TChannel](ChannelFactory`1 factory, EndpointAddress address, Uri via) at Mi...    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

SharePoint Foundation     Topology     84cx    High     ...crosoft.SharePoint.SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser[TChannel](ChannelFactory`1 factory, EndpointAddress address) at Microsoft.SharePoint.SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications(Uri endpointAddress, SPServiceLoadBalancerContext loadBalancerContext) at Microsoft.SharePoint.Administration.SPDiscoveryUtility.RetrieveSharedServiceApplicationInfo(String url) at Microsoft.SharePoint.ApplicationPages.ServiceApplicationConnectPage.BtnOK_Click(Object sender, EventArgs e)    8a7440ac-a08c-46da-87ad-5c2d79e19dd4

 

The weird thing is all the "Claims Authentication" error. What the? My Central admin servers were using NTLM, not claims. However, the topology service app (load balancing SA) is using claims so obviously it was a problem.

 

Here's some more background:

 

I have two farms (let's just say farm A, and farm B). I'm trying to get farm A to consume service applications published by farm B. I've exchanged root certificates and the sts certificates to setup the trust, and I've granted farm A full control on B's load balancer service app, as well as the service apps I'm trying to connect to. However, when I paste the service app's URL and click ok, I get the error that says to confirm that I have the correct URL. In 14/Logs, I get the above exception, which appears to be a COM exception.

   

Farm A is a two server farm with CA running on 01. Farm B is a single server farm.

   

The firewall is turn on between the two farms, three servers. TCP ports 12345 (central admin) and 32844 (topology service) have been opened between all three servers. I'm running as a farm and box admin.

   

Error message in UI:

 

   

Farm A's farm ID:

 

   

Perms on load balancing service app in farm B:

 

   

Perms on published service app:

 

(FYI – this isn't necessary but I did it to be safe/thorough)

   

   

Service app has been published over HTTP:

 

   

Trust on Farm A:

 

   

Trust on Farm B:

 

 

You'd think that after all this it would work just fine? The funny this is I did do all the publishing just fine, I just missed one small, important step. IISRESET.

 

Perform an IISRESET on all boxes in the provider farm, and all boxes in the consumer farm. Thereafter, try the connection again and it should work. I also created a key in the secure store service application, but I don't think this mattered. To be safe, create a secure store service app in the publishing farm, and click generate new key.

 

 

HURRAY!

 

Still having trouble – check these things for troubleshooting:

 

Troubleshooting Federation Issues:

  • Ensure domain trust (2-way for profile, 1-way for others)
  • Ensure consuming farm's service account has permissions to the topology service app
  • Try browsing to the topology service app http://*/topology.svc
  • Check the ACL on the publishing service app
  • Try using FQDNs for ALL URLs
  • Double check certs.

 

Cheers,

Phil