Cloud Hybrid Search Setup - Authentication Errors
https://sharepoint.stackexchange.com/questions/243496
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm having trouble getting Cloud Hybrid Search configured with my SharePoint 2013 on-prem farm and I think our Single Sign On is the culprit. Has anyone had success with setting up Cloud Hybrid Search in a SSO environment?
I've tried both the Hybrid Configuration Wizard, and PowerShell approaches outlined in the Configure Cloud Hybrid Search Roadmap, but both end with authentication errors even though the wizard confirms the farm and tenant credentials have sufficient privileges.
In the wizard, the Failure Report returns the following exception: "PowerShell failed to invoke configure script: Authentication Error: Bad username or password." The following line in the full log references our SSO URL:
FINISH Time=6750.2ms Results=System.Management.Automation.RuntimeException: Authentication Error: Bad username or password. ---> System.Exception: Authentication Error: Bad username or password. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Federated service at https://x.x.com/SecureAuth15/webservice/wstrust.svc/2005/usernamemixed returned error: At least one security token in the message could not be validated. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
When running the Onboard-CloudHybridSearch.ps1 PowerShell script, after the output "Connecting to O365..." the exception returned is, "Authentication Error: Unexpected authentication failure".
Provisioning the Search Service Application seems to work fine with both approaches, but I can't get past the on-boarding step in either.
I've also tried adding our tenant and tenant admin URLs to Trusted Sites in Internet Options, running the setup while logged into the SharePoint server as the tenant admin account and farm admin account, making the tenant admin account a farm admin, etc.
Thanks for any help!
Solution
I'm unsure which part of 'SSO' you're referring to. Users in SharePoint must be using Windows Auth, not SAML/FBA in order to consume hybrid Search. If you have MFA or anything on your Global Admin account that is running the Onboarding script, it needs to be disabled or use a cloud-only Global Admin account.
