Playing with PnP Partner Pack v2.0

The Office Dev PnP Partner Pack is a cool solution available on GitHub to provision SharePoint site collections and sub sites in SharePoint Online. It comes with a great step-by-step guide on how to set it up. Because there are quite a few steps in the guide you still might run into a few issues when settings this up. In this post I want to share my experiences with the challenges I have seen along the way.

When changing any of the authentication settings in the Azure AD application you always want to recycle  the application pool of the PnP Partner Pack web site afterwards. The web site caches the authentication tokens for some time and you will not see the effect of your changes immediately unless you empty it.

The remote server returned an error: (401) Unauthorized

When you get this error on the home view of the PnP Partner Pack web site you probably also have the stack trace shown below. The error occurs because the web site does not have access to the PnP Partner Pack infrastructure site on your SharePoint Online tenant. It uses app-only permissions to connect to it, so the typical reason is that you did not give the Azure AD application the so-called application permissions to Office 365 SharePoint Online but rather delegated permissions. Delegated permissions are only effective when authenticating as a user and not as an application.

If you are using the new Azure portal, you want your permissions to look like below. Note: Only the Office 365 SharePoint Online permissions are application permissions while the others (Microsoft Graph and Azure AD) are delegated.

Required permissions in new Azure portal

In the old Azure portal, your permissions should look like this:

Required permissions in old Azure portal

Full Stack Trace

Resolution

  1. Assign application permissions to Office 365 SharePoint Online for the Azure AD application
    • Have full control on all site collections
    • Read managed metadata
  2. Recycle the PnP Partner Pack web site application pool (or do a stop and start)

AADSTS50011: The reply address ‘http://xxxx.azurewebsites.net/’ does not match…

This error message is rather obvious – the reply address configured in the Azure AD application does not match the actual address of the PnP Partner Pack web site. This is typically because you omitted the trailing ‘/’ in the Sign-on URL when creating the Azure AD application. You can change this later on by editing the reply URL for it.

In the new Azure portal you want your reply address to look like this:

Reply URL in new Azure portal

And in the old Azure portal like this:

Reply URL in old Azure portal

Full Error Message

AADSTS70002: Error validating credentials. AADSTS50011: The reply address ‘http://xxxx.azurewebsites.net/’ does not match the reply address ‘http://xxxx.azurewebsites.net’ provided when requesting Authorization code. Trace ID: 12c28f28-6c60-4698-a84f-cb7b937de009 Correlation ID: 027e3d22-6758-4b22-ba4e-ead00365079a Timestamp: 2016-12-19 20:07:20Z

Resolution

  1. Add trailing slash (‘/’) to the reply URL in Azure AD application registration
  2. Recycle the PnP Partner Pack web site application pool (or do a stop and start)

AADSTS50012: Client assertion contains an invalid signature

In this case something is wrong with the signature of the token request sent from the PnP Partner Pack web site to Azure AD. For my specific case, as the error message below states, I did not configure my Azure AD application properly.

In the new Azure portal you can edit the Azure AD application manifest directly via the user interface. The manifest is in JSON format and you want to have a keyCredentials entry that looks like below. Note: The value property will show null once you saved the manifest and re-open it again. This is all good, but you have to enter the value with the public key of the certificate the first time. The editor will probably show some errors when you paste in the keyCredentials settings – as long as you can save the manifest, it is ok.

Manifest editor in new Azure portal

There is no fancy manifest editor in the old Azure portal. Here, you download the manifest file, add the keyCredentials entry and upload it again. Note: The value property will also be null when downloading the manifest file. This all good, too. You can simply not access the public key of the certificate once it was stored in Azure.

Full Error Message

AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason – The key was not found., Thumbprint of key used by client: ’26E797BFDB57AFA24C72D873FEF04CB51044DBEB’, Configured keys: []] Trace ID: 7444a050-8a93-4b56-b150-c19a34b7ab5a Correlation ID: 31dbab5a-b363-475b-8a0f-f899943fbae9 Timestamp: 2016-12-19 20:34:47Z

Resolution

  1. Check/add the keyCredentials property to Azure AD application manifest
  2. Recycle the PnP Partner Pack web site application pool (or do a stop and start)

 Pending New Site Collections / Sub Sites

Everything in the PnP Partner Pack web site is working like a charm but new site collections or sub sites are not created and always have the state ‘Pending’. Most likely, the Web Job called ‘ScheduledJob’ is not running very often. Check the schedule settings for it in the Azure portal. The Web Job creates new sites. So, its’ schedule is an essential part of the solution.

1 thought on “Playing with PnP Partner Pack v2.0

  1. Thanks, saved me time troubleshooting the error I was getting with pnp partner pack, missed the trailing “/” in reply url.

Leave a Reply

Your email address will not be published. Required fields are marked *