Update: Microsoft included the fix in the hybrid picker experience. This means you no longer have to perform the steps outlined in this blog post.
You can find the updated article by Microsoft here: https://blogs.technet.microsoft.com/beyondsharepoint/2016/09/15/considerations-when-deploying-sharepoint-office365-hybrid-workloads-in-a-farm-utilizing-provider-hosted-add-ins-or-workflow-manager/
For hybrid search (outbound/inbound query federation or Cloud Hybrid Search Service Application) a manual approach is needed to remediate this scenario.
A KB article was released, which can be found here: https://support.microsoft.com/en-us/help/4010011/provider-hosted-add-ins-stop-working-and-http-401-error
Summary: This article provides a solution to broken provider-hosted add-ins after configuring SharePoint hybrid features. For a full list of hybrid features, see the following article: https://sharepointrelated.com/2016/10/04/hybrid-features-sharepoint-2013-and-2016
The following hybrid features will break your server-to-server trusts that were already set up before configuring hybrid for SharePoint 2013 or SharePoint 2016:
[table “” not found /]
This post will describe why this happens and how we can fix this.
In order to establish a server-to-server trust between your on-premises SharePoint environment and Office 365, Microsoft relies on the SPAuthenticationRealm. More information can be found here: https://technet.microsoft.com/en-us/library/jj219756.aspx.
This article has a “Caution” section, warning that any access tokens created for a specific realm, won’t work after changing the SPAuthenticationRealm.
To fix this, I wrote a script that gives you 2 options:[table “” not found /]
Running the script will result in something like this:
Running the Fix-Hybrid.ps1 script
You can download the script here:
Notes
If you choose to fix your SPTrustedSecurityTokenIssuers, you will need to do some additional work to have everything work again.
- Regrant app permissions
App permissions rely on the SPAuthenticationRealm.
This means that any App permissions that you set, will be gone after updating your SPTrustedSecurityTokenIssuers.
You will have to register the apps again and assign the permissions to the app.
The following script can do this for you (the current script is app-instance based, this means you have to run it for every app instance.
Also, make sure to change the variables in the script before running it.
- Workflow Manager
Workflow Manager also relies on the SPAuthenticationRealm. Thanks to Ruben de Boer for proposing the solution.
After running the Fix-Onboarding.ps1 script, make sure to remove the existing Workflow Service Application Proxy.
Then run the Register-SPWorkflowService cmdlet again. Make sure to use the same scope that you used before. I recommend using the -Force parameter.
I hope this helps anyone! Do not hesitate to contact me if you have any trouble using the script of have any questions.
Hi Nico,
The links for both scripts are not working , it does not let us download the script :https://sharepointrelated.com/2016/08/11/fixing-apps-configuring-cloud-hybrid-search/fix-onboarding-2/
https://sharepointrelated.com/2016/08/11/fixing-apps-configuring-cloud-hybrid-search/set-spapppermissions/
Thanks, I re-uploaded the files. They should now be available.
Nico: I just configured hybrid search (in sp2013 on-prem) and workflows are now not running properly. I tried running your script fix-hybrid.ps1, but it fails because it cannot find a value for the $realm variable: get-spTrustedSecurityTokenIssuer returns only 2 values – one ending with an asterisk, which the script excludes, and the other one having the same value as the current result for “Get-SPAuthenticationRealm” (which your script stores in variable $AuthRealm and also excludes) – am I missing something here? SP2013 Workflows were working OK prior to me setting up Hybrid Search (which is working OK)
Thanks
Hi JJ,
If it is only the Workflow Manager farm that is not running correctly, you don’t have to run the script.
In this case you only have to run the Register-SPWorfklowService cmdlet again. Please make sure you register it using the same Scope that you used when first configuring Workflow Manager.
If this doesn’t help, please let me know.
How about for the SharePoint-hosted apps?
Hi George,
SharePoint-hosted app “shouldn’t” be affected because they are not using the SPAuthenticationRealm that is changed by the Hybrid configuration script.
Thanks Nico! I did not realize you reply till now. I just validated it and it seems what you said is correct, thanks!