Unable to conect to Sharepoint (retrieving token from XML error)

[pobs93]

Good Morning,

I have been trying for days to connect with my company Sharepoint account but I´m not able to do it.

I have tried the approaches explained in the pypi description

username = 'pablo@mycompany.com'
password = 'XXXX'
url = 'https://aXXX.sharepoint.com'

_ctx_auth = AuthenticationContext(url)
if ctx_auth.acquire_token_for_user(username, password):
ctx = ClientContext(url, ctx_auth)
web = ctx.web
ctx.load(web)
ctx.execute_query()
print "Web title: {0}".format(web.properties['Title'])

else:
print ctx_auth.get_last_error()_

Also the one given after the 2.1.8 version release

ctx = ClientContext.connect_with_credentials(site_url, UserCredential(username,password))

but I always get the same error:

An error occurred while retrieving token from XML response: AADSTS500069: The element with ID 'XXXX' was either unsigned or the signature was invalid.
An error occurred while retrieving auth cookies from https://XXX.sharepoint.com/_vti_bin/idcrl.svc

This is stopping me from continuing with my project...

Can anybody tell me why this error is occurring and how to fix it?

Thanks in advance.

[vgrem]

Greetings!

Surprisingly this error is not listed among Azure AD STS error codes

To pinpoint it, could you please clarify the following questions:

• what kind of account is used to sign in?

• is Multi-factor authentication enabled per user?

[vgrem]

Another option would be to switch from user credentials flow to app principals flow.

Refer this article on how to register an app principal and grant access via SharePoint App-Only flow

Here is an example:

ctx = ClientContext.connect_with_credentials(site_url, ClientCredential(client_id,client_secret))

target_web = ctx.web
ctx.load(target_web)
ctx.execute_query() 

[pobs93]

Good Afternoon

Thanks for your fast answer and help.

• what kind of account is used to sign in?

I´m using a corporate account with the following format myname@external.mycompany.com

• is Multi-factor authentication enabled per user?

I´ve asked the IT in my company and they told me my account doesn´t have the Multi-factor authetication active, Althought there are some account with the Multi-factor activate

Also I have asked for the app principals credentials but unfortunantely I don´t have permision to set it up myself so I have to wait for them to do it.

[vgrem]

Regarding app principal permissions, in the provided article, FullControl access is consented per tenant , although in most cases site collection scope is more then enough, here is a xml manifest for it:

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

Site collection page url: https://contoso.sharepoint.com/_layouts/15/appinv.aspx

Note: could be configured either by site collection administrator or tenant administrator

[pobs93]

Good Afternoon,

I have more information about the error.

I have tried to connect with an IT service user and I got this error

Cannot get binary security token for from https://login.microsoftonline.com/extSTS.srf
Traceback (most recent call last):
File "c:/Users/pablo.arias/Desktop/GD/Conexion_sharepoint.py", line 13, in
if ctx_auth.acquire_token_for_user(username, password):
File "C:\Anaconda3\lib\site-packages\office365\runtime\auth\authentication_context.py", line 18, in acquire_token_for_user
if not self.provider.acquire_token():
File "C:\Anaconda3\lib\site-packages\office365\runtime\auth\saml_token_provider.py", line 60, in acquire_token
return self.acquire_authentication_cookie(token, user_realm.IsFederated)
File "C:\Anaconda3\lib\site-packages\office365\runtime\auth\saml_token_provider.py", line 217, in acquire_authentication_cookie
self._auth_cookies[name] = cookies[name]

The user name is ALSSVSHNGSDES in case it gives you some information

On the other hand, I've been trying to create and access via SharePoint App-Only but I don't know how to file properly the filds APP Domain and Redirect URI, I have tried to set my sharepoint address in both but it's always giving me an error so i guess it's not the correct information.

Thanks in advance.

[vgrem]

Good evening,

regarding

but I don't know how to file properly the folds APP Domain and Redirect URI, I have tried to set my SharePoint address in both but it's always giving me an error so i guess it's not the correct information.

the error probably occurs due to the values specified for App Domain and Redirect URI, please refer below instruction for a more details.

Here is an instruction to create app based credentials:

1. Go to the appregnew.aspx page in your SharePoint Online tenant. For example, https://example.sharepoint.com/_layouts/15/appregnew.aspx.
2. On this page, click the Generate buttons next to the Client ID and Client Secret fields to generate their values.
3. Store the client ID and client secret securely as these credentials can be used to read or update all data in your SharePoint Online environment. You will also use them to configure the SharePoint Online connection in application.
4. Under Title, specify a title. For example, Python console. Under App Domain, specify www.localhost.com. Under Redirect URI, specify https://www.localhost.com.

Note: Sometimes, if you specify a actual domain, e.g. sharepoint.com domain in the App Domain and Redirect URI fields, instead of localhost, the error message An unexpected error has occurred might encounter. Check the appregnew.aspx page and make sure both fields include the proper localhost URI.

5. Click Create.

6. Go to the appinv.aspx page on the site collection. For example, https://example.sharepoint.com/_layouts/15/appinv.aspx to grant site-scoped permissions.

Note: If you prefer grant permissions on tenant level, visit tenant administration site instead, the URL must include -admin to access the tenant administration site, for example, https://example-admin.sharepoint.com/_layouts/15/appinv.aspx That operation requires a tenant administrator permissions

7. Specify your client ID in the App Id field and click Lookup to find your app.
   To grant permissions to the app, copy the XML below to the App’s permission request XML field:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

Note: For tenant level scope, permission request XML looks as follows:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

If you see the error message Sorry, only tenant administrators can add or give access to this app" and the Trust It button is disabled, you are not on the correct page for the tenant administration site. Check the appinv.aspx page URL and make sure it includes -admin.

8. Click Create.
9. On the confirmation dialog, click Trust It to grant the permissions.

As a proof-of-concept here is an example of running the following script in Jupiter Notebook

client_id = "--client id goes here--"
client_secret = "-- secret goes here--"
site_url = "https://example.sharepoint.com/"

from office365.runtime.auth.ClientCredential import ClientCredential
from office365.sharepoint.client_context import ClientContext


ctx = ClientContext.connect_with_credentials(site_url, ClientCredential(client_id, client_secret))
web = ctx.web
ctx.load(web)
ctx.execute_query()

Result

[pobs93]

Good Morning,

I´ve been trying to set up the API following the isntruction but I can´t.

When I set APP Domain as www.localhost.com and Redirect URI as https://www.localhost.com I recieve the following error: Invalid APP Domain.

I Attached a screenshoot from my last attempt.

Can you tell me what is that im doing incorrectly?

I guess that to put "localhost" as App Domain was an example and it was not a proper URI for Sharepoint but at this point I am really lost about what to put in the "App domain" and "Redirect URI" fields.

Many thanks in advance!

[vgrem]

Good morning,

how about localhost instead of www.localhost.com?

[vgrem]

I guess it's been resolved so closing this one.

[pobs93]

Good Afternoon

Sorry I didn´t answer earlier.
I'm having troubles with the permisions,

I think it is happening because they didn't give the API full access in the XML permision request.

I´m having the following error when I do the request (sorry it´s in Spanish):

office365.runtime.client_request_exception.ClientRequestException: ('-2147024891, System.UnauthorizedAccessException', 'Acceso denegado. No tiene
el permiso necesario para realizar esta acción o tener acceso a este recurso.', '403 Client Error: Forbidden for url

So I guess the code it´s working correctly.

Thank you for your help.

[vgrem]

That's right, steps 6-9 are also mandatory for granting permissions.

[pobs93]

Good Afternoon

Finally we changed the XML and it´s working

ctx = ClientContext.connect_with_credentials(site_url, ClientCredential(client_id, client_secret))
web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web site title: {0}".format(web.properties['Title']))

Web site title: NEGOCIO

Thank you so much for all your help.

[prathmeshphalke]

@pobs93 I am trying to do the same thing. I change my permissions. but getting the same error as you were -2147024891, System.UnauthorizedAccessException', 'Access denied. You do not have permission to perform this action or access this resource.', '403 Client Error: Forbidden for url:
what change did you do to your permission XML? can you please tell me this is very critical for my project. thanks in advance

did you change the permission XML ? did you change the scope here to reflect your company URL or keep it as is. ?