Troubleshooting the Calling the Claims Identity Provider Page Error

Error calling the claims identity provider page: System.Net.WebException: The remote server returned an error: (401) Unauthorized.

Cause

This error is related to how Windows authentication works. When a browser connects to a Coveo search page, the Windows authentication process takes place between the browser and IIS. Once a user has been authenticated by IIS, the Coveo search page executes most of its processing as that Windows identity, and the processing includes the web request to SharePoint to retrieve the user's claims. For security reasons, Windows may prevent an authenticated identity from being shared between different computers. It is however possible to configure Windows to allow the identity sharing between two specific computers.

Possible solution

Use the Windows Active Directory Users and Computers MMC snap-in to authorize the ASP.NET code of the search page to delegate the authenticated Windows identities to the SharePoint server when the server performs the claims requests.

To enable Windows authentication delegation from the Coveo .NET Front-End server to the SharePoint WFE server

Note: The procedure that follows describes one of the easiest to successfully enable Windows authentication delegation between two servers.

1. With an administrator account, log into your Coveo .NET Front-End server.

2. If not already done, install AD DS Snap-Ins and Command-Line Tools:

   Note: The following procedure describes the installation on Windows Server 2008 R2.

   1. Select Server Manager.

   2. In the Server Manager window, click Add roles and features.

   3. In the Add Roles and Features Wizard dialog, reach the Features section.

   4. In the Features section:

      1. Expand Role Server Administration Tools, Role Administration Tools, AD DS and AD LDS Tools, and AD DS Tools.

      2. Select the AD DS Snap-Ins and Command-Line Tools check box.

      3. Click Next.

   5. In the Confirmation section, click Install.

   6. In the Results section, click Close.

3. Access the Active Directory Users and Computers window:

   Note: This feature is only available in the following Windows versions: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012.

   1. Click the Windows start menu, and then search and select Administrative Tools.

   2. In the Administrative Tools window, double-click Active Directory Users and Computers.

4. In the Active Directory Users and Computers window, in the left section, locate and right-click the Coveo .NET Front-End server computer, and then select Properties.

5. In the [serverName] Properties dialog, click the Delegation tab.

6. In the Delegation tab:

   1. Select the Trust this computer for delegation to specified services only radio button.

   2. Select the Use any authentication protocol radio button.

   3. Below the Services to which the account can present delegated credentials list, click Add.

7. In the Add Services dialog, click Users or Computers.

8. In the Select Users or Computers dialog, in the Enter the object names to select (examples) box, enter the name of the SharePoint (WFE) server, and then click OK.

   Note: If SharePoint WFE servers are accessed via an NLB address, all SharePoint WFE servers must be entered.

9. Back in the Add Services dialog, select the http Service Type in the list, and then click OK.

10. Back to the Delegation tab, click OK to apply the settings.

11. Restart the Coveo .NET Front-End server.

12. In IIS (Internet Information Services), for the authentication delegation to work, the SharePoint web app site must be configured with Windows Authentication and with the Negotiate provider enabled on the site [see Configure Windows Authentication (IIS 7)].

13. Test the search page again to confirm that the error calling the claims identity provider page no longer occurs.