Unable to authenticate to SharePoint Online programmatically with federated services

Brite Shiny picture Brite Shiny · May 5, 2014 · Viewed 17.3k times · Source

I am unable to authenticate to SharePoint Online using SharePointOnlineCredentials, receiving the error message:

Identity Client Runtime Library (IDCRL) encountered an error while talking to the partner STS.

This same code worked until we implemented AD FS to federate authentication to our Active Directory. And, in fact, the code still works when I access my own personal SharePoint Online site, which does not use federated services. This leads me to suspect there is a problem using SharePointOnlineCredential with federated services.

Can anyone confirm this is the case? And, if so, what is the workaround?

I created a simple program to verify this issue, which follows:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Microsoft.SharePoint.Client;
using Microsoft.Online.SharePoint.Client;
using System.Security;

namespace SPOConsole
{
    class Program
    {
        static void Main(string[] args)
        {

            var targetSite = new Uri("<https://<mydomain>.sharepoint.com>");
            var login = "<myuserid>@<mydomain>.com";
            var password = "<mypassword>";
            var securePassword = new SecureString();
            foreach (char c in password)
            {
                securePassword.AppendChar(c);
            }

            var onlineCredentials = new SharePointOnlineCredentials(login, securePassword);

            using (ClientContext clientContext = new ClientContext(targetSite))
            {
                clientContext.Credentials = onlineCredentials;
                Web web = clientContext.Web;
                clientContext.Load(web,
                webSite => webSite.Title);

                clientContext.ExecuteQuery();
                Console.WriteLine(web.Title);

                Console.Read();

            }

        }
    }
}

The code fails on the line:

        var onlineCredentials = new SharePointOnlineCredentials(login, securePassword);

Following is the stack trace:

Microsoft.SharePoint.Client.IdcrlException was unhandled
  HResult=-2147186451
  Message=Identity Client Runtime Library (IDCRL) encountered an error while talking to the partner STS.
  Source=Microsoft.SharePoint.Client.Runtime
  ErrorCode=-2147186451
  StackTrace:
       at Microsoft.SharePoint.Client.Idcrl.ManagedIdcrl.CheckHResult(Int32 hr)
       at Microsoft.SharePoint.Client.Idcrl.ManagedIdcrl.LogonIdentity(String username, SecureString password)
       at Microsoft.SharePoint.Client.Idcrl.SharePointOnlineAuthenticationProvider.Logon(String username, SecureString password)
       at Microsoft.SharePoint.Client.SharePointOnlineCredentials..ctor(String username, SecureString password)
       at SPOConsole.Program.Main(String[] args) in c:\Users\michael.norton\Documents\Visual Studio 2012\Projects\SimpleSPOConnection\SPOConsole\Program.cs:line 26
       at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
       at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException: 

Answer

Brite Shiny picture Brite Shiny · May 22, 2014

I resolved the issue by ensuring I was using the SharePoint Online Client Components in my code. Here are the steps I took:

  1. Uninstalled the SharePoint Online Management Shell (http://www.microsoft.com/en-us/download/details.aspx?id=35588). The original program, which was written last fall and started as an extension of a PowerShell program, used the Microsoft.Online.SharePoint.Client.Tenant.dll that came with the SharePoint Online Management Shell. The program should reference C:\Program Files\SharePoint Client Components\16.0\Assemblies\Microsoft.Online.SharePoint.Client.Tenant.dll.

  2. Installed the latest SharePoint Online Client Components SDK (http://www.microsoft.com/en-us/download/details.aspx?id=42038). It is important to note that this SDK is different that the SharePoint 2013 Client Components SDK. The SharePoint Online Client Components SDK is version 16; the SharePoint 2013 Client Components SDK is version 15.

  3. Ensured that the Microsoft.SharePoint.Client and Microsoft.SharePoint.Client.Runtime dlls in the program loaded from the 16 version in the Web Server Extensions folder, e.g. C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll.

I am now able to authenticate using both federated and non-federated accounts.