Are you encountering issues connecting to SharePoint in FME?
This article contains troubleshooting and common issues encountered when configuring a SharePoint web service definition and connection for both Form and Flow.
If you have not already, please ensure that you have followed all the steps in the How to Create a SharePoint Web Connection article for your product and tenancy. The list of articles is found here. For many users, this is their first encounter with Azure App Registrations. Once the app has been registered with Microsoft Azure, the information needs to be carefully added to the web service definition in FME so that it can be used for OAuth 2.0.
Please ensure you’ve correctly configured the Azure app registration and web service by reviewing the Initial Troubleshooting.
If you’re confident everything is set up correctly and you’re still experiencing issues look through the Common Issues. If your issue isn’t listed, refer to the additional troubleshooting tips to help narrow down the cause of the issue (and hopefully find a fix!).
Content Overview
- Initial Troubleshooting
-
Common Issues
- Admin consent required
- Invalid audience
- Code parameter not specified
- Delegated vs application permissions
- 400 Bad Request
- 401 unauthorized or failed to obtain refresh token
- 403 Client Error: Forbidden for url
- Certificate verify failed: certificate has expired
- Different lists returned in FME compared to SharePoint in the web browser
- Intermittently cannot connect to SharePoint from FME Flow
- Additional Troubleshooting Tips
Initial Troubleshooting
Here are some steps that get overlooked during configuration of the Azure App Registration and FME web service. These steps are all covered in detail in the How to Create a SharePoint Web Connection articles listed here .
Tenancy
Microsoft gives the option of both single tenant and multitenant applications, and the configuration for each is slightly different. If your application is single tenant, the URLs in FME’s web service definition should have /common/ in them. If the application is single tenant then you should have the directory (tenant) id in the URL instead.
For more information, see Microsoft’s documentation on Tenancy in Azure Active Directory.
Client Secret
Microsoft requires a client secret for confidential web apps, which means this is required for FME Flow. A client secret is also required if connecting to SharePoint using Application Permissions in FME Form. Otherwise, the client secret should not be used in FME Form, which is a native app. If you’re working in FME Form then ensure that 'Optional' is checked next to Client Secret in the web service definition, otherwise you may receive a 401 error from SharePoint.
If you’re publishing the web connection to FME Flow, ensure you’re copying the client secret from Azure and adding it to the web service in FME Flow only. Ensure you’re copying the value of the secret and not the secret id.
Web Connections - FME Flow documentation
API Permissions
The SharePoint List Reader/Writer uses a different API than the SharePoint Online Connector. Make sure you’ve chosen the right permissions in Azure for FME. The SharePoint List Reader/Writer uses the SharePoint API and will need those permissions. The SharePoint Online Connector uses the Microsoft Graph API and will need those permissions.
In FME, as long as the auth URL in the web service definition uses the .default scope and the correct permissions have been given in Azure there should be no issues.
Please follow the appropriate SharePoint article listed in the Getting Started with Microsoft SharePoint article to understand what permissions are needed for each scenario.
Redirect URI and Platform
The redirect URI must match between what is configured in FME and in the Azure app registration. If this does not match you will receive an error when testing or authorizing the web connection. In addition, the redirect URI must be added to the correct platform under Authentication in the Azure App Registration. For FME Form, the platform is 'Mobile and Desktop Applications'. For FME Flow, the platform is 'Web'.
FME Flow must be configured for HTTPS and the redirect URI will be https://myfmeflow.mydomain.com/fmeoauth.
Review FME Flow Logs
If you are trying to get the connection working on FME Flow, review the logs for errors or warnings. The OAuth log can be found under Resources > Logs > Service > Current > fmeoauth.log. Job logs and the fmeserver.log file can also be helpful.
Common Issues
Admin consent required
If your Azure portal requires admin consent, you will receive an 'Approval Required' message when trying to authorize the SharePoint connection.
Authorizing with an Azure Administrator account should resolve the issue. Otherwise, the administrator will need to approve your request in the Azure portal. Try to reauthorize the connection. If you are still prompted for admin consent, try setting "&prompt=consent" to "&prompt=login"
in the web service's Authorization Parameters URL in FME Form, or change it to "&prompt=none". Removing the "&prompt=" parameter altogether may be required. This will depend on your organization's configuration.
In the Microsoft Graph API authorization URL, the "prompt" parameter is used to specify whether the user should be prompted to sign in or to consent to the requested permissions.
Microsoft Graph OAuth2 Request Parameters
Invalid audience
In the context of a Microsoft Graph application's OAuth2 authentication flow, an "audience" refers to the target resource or service that the access token will be used to access.
When an application requests an access token from Microsoft Graph, the application specifies the "audience" parameter in the authentication request. The value of this parameter should be set to the App ID URI of the target resource or service that the application wants to access with the access token.
For example, if an application wants to access a user's OneDrive files, it would set the "audience" parameter to "https://graph.microsoft.com". This tells Microsoft Graph to issue an access token that is intended for use with the Microsoft Graph API.
When the application sends a request to Microsoft Graph API, it includes the access token in the Authorization header of the request. The "audience" parameter in the access token should match the value that was specified in the authentication request. If the "audience" parameter in the access token doesn't match the intended resource, the request will be rejected.
In summary, the "audience" parameter in the Microsoft Graph OAuth2 authentication flow is used to indicate the intended resource or service that the access token will be used to access.
If using one app registration for both SharePoint Online Connector and SharePoint List Reader/Writer ensure that the scope in the authorization URL is scope=https://[TENANT].sharepoint.com/.default offline_access or create two separate apps in Azure, and fix the scope in the authorization URL in the web service definition: scope=offline_access sites.readwrite.all etc
Code parameter not specified
If you see the error "code parameter not specified" when you try to connect, it is likely the result of an incorrect or malformed URL in the SharePoint web service configuration. Most likely the Retrieve Token Parameters URL. Make sure that the URL is correct for the tenancy specified in your Azure App Registration. Try recreating the web service from the template provided.
Delegated vs application permissions
FME supports Microsoft Azure delegated permissions for both the SharePointOnlineConnector and SharePoint List Reader/Writer. Microsoft Azure application permissions are only supported for the SharePointOnlineConnector at this time. To learn more about the difference, please read Getting Started with Microsoft SharePoint.
The type of permissions you choose to use will determine which web service you need to configure in FME. Ensure you have followed the correct article from Getting Started with Microsoft SharePoint.
400 bad request
This error typically means that one of the OAuth2.0 web service URLs is incorrect. Reconfirm that the URLs you have entered in the web service are correct as per the relevant connection article from Getting Started with Microsoft SharePoint.
For example, below is an example error for an incorrect Refresh Token URL:
Connection Storage: Request to update access token failed. (HTTP Error 'HTTP/1.1 400 Bad Request')
Failed to get authorization header.
Python Exception <FMEWSException>: Type: 3, Number: 1, Message: Failed to get authorization header."
If the connection initially authenticates successfully, but you then begin receiving the 400 error, check your organization's Adaptive Session Lifetime Policies in Microsoft Azure, specifically Policy 1: Sign-in frequency control. This policy sets reauthentication requirements for users and apps. If your organization cannot change this, consider using Application Permissions instead.
401 unauthorized or failed to obtain refresh token
If your FME web service is an OAuth2.0 web service that uses the OAuth2.0 authorization code grant flow, then FME Form must not send a client secret to Microsoft. See Getting Started with Microsoft SharePoint for more details. You can do this by clicking the 'Optional' checkbox next to the client secret parameter in the FME Form web service definition.
Actions outside of FME may also cause a refresh token to be revoked. Please see Microsoft's documentation on refresh tokens.
403 Client Error: Forbidden for url.
You are able to authorize your connection successfully, but receive an error like the one below when a workspace is run:
Client-side error: '403 Client Error: Forbidden for url: https://mysite.sharepoint.com/sites/_api/web/Lists?%24select=Title%2CId&%24filter=Hidden+eq+false' returned from SharePoint. Error message was: 'Attempted to perform an unauthorized operation.'
Make sure that the Microsoft account you authorized the web connection with has necessary access to the SharePoint site hosting the list or library.
Certificate verify failed: certificate has expired
You may receive this error in FME on some machines, but not others, when trying to connect to SharePoint. It is often the result of an expired intermediate SSL certificate that may be included with Windows. In Windows:
- Open Windows Certificate Manager (Run > certmgr.msc)
- Expand the Intermediate Certification Authorities node and click on Certificates
- In the list of certificates, look for the DigiCert SHA2 Secure Server certificate
- If you see the expired DigiCert SHA2 Secure Server intermediate certificate in the list, disable it: right-click the certificate > properties > General tab > Disable all purposes
- Save the change and close Windows Certificate Manager
- Restart FME and retry the connection
Different lists returned in FME compared to SharePoint in the web browser
If different lists are being returned in FME compared to what is being returned in the browser you will need to verify with the MS Graph Explorer if the API is returning the correct list.
When you access the MS Graph Explorer ensure you sign in (top right) with the same account that is being used in the SharePoint web connection.
On the left-hand navigator of the Graph Explorer, you can expand the SharePoint queries for sites, lists, etc.
If the Graph API is not returning the expected information then FME will also not be able to access it, as it uses the Graph API.
Intermittently cannot connect to SharePoint from FME Flow
When an OAuth2.0 web connection (using delegated permissions) is published to FME Flow it also publishes the current (normally) working authorization token. After a period determined by Microsoft (an hour, month, etc) this token will expire and if FME Flow has not been configured properly for the web service it will be unable to refresh the token.
After a web connection and its web service have been published to FME Flow the user will need to:
- Ensure the app registration in Azure has a web platform configured.
- Specify the correct redirect URI in the web platform (https://<host>:<port>/fmeoauth).
- Generate a client secret and add this to the web service in FME Flow
- Ensure the client_secret=[CLIENT_SECRET] parameter has been added to the Refresh Token Parameters in the web service. Note that this can only be set in FME Form and must then be published to FME Flow.
Note that this is not required when using a web connection with application permissions, as a new access token is obtained on every connection. Please see Getting Started with Microsoft SharePoint for more information.
Additional Troubleshooting Tips
Azure error messages
Azure error messages are normally descriptive and it will be clear what the issue is. For example:
Invalid Resource. The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.
This means FME is trying to access resources it doesn’t have permissions to. This will need fixing in the Azure App Registration.
The reply URL specified in the request does not match the reply URLs configured for the application.
The reply URL is not the same as the redirect URI. You will need to verify that FME and Azure have exactly the same redirect URI in their configurations.
If you’re unsure what an Azure error message is referring to, there are normally a lot of questions and answers on the Azure Community or other online tech support forums.
HTTP error codes
If the web service can't auth successfully, you will probably see HTTP Error codes returned. If you’re not sure what an error code means, you can check here: HTTP response status codes
For example, a 401 response means the user/client is unauthorized.
You will want to check everything relating to authentication and authorization: user account signing in, Client ID, Client Secret, permissions etc.
Fiddler (or other network monitoring tools)
If you do not get any useful error messages back in FME, you will need to use Fiddler to intercept the network traffic and responses coming from Microsoft.
When Fiddler is open, it will capture all traffic from your computer. Filter the processes to only show traffic from FME.
If you don’t see any traffic from FME, in FME Options > Network Proxy, select Use system proxy settings.
Comments
0 comments
Please sign in to leave a comment.