none
OfficeWebApps with SharePoint 2013 giving 'missing access token' message in ULS logs RRS feed

  • Question

  • Hello

    We are trying to setup a Office Web Apps integration with SharePoint 2013. After having read through various online forums and msdn links, was able to setup the Office Web Apps Binding with SharePoint 2013. 

    However post all the steps are completed when we try to 'view' the word document, we get an error message "sorry there was a problem and we can't open this document. If this happens again,try opening the document in Microsoft word".

    On the SharePoint 2013 ULS logs we see the following messages.

    ##########################################

        

    Entering monitored scope (Request (POST:https://komra-vm1.ca.com:443/_layouts/15/inplview.aspx?List=%7B8B43B880-F7B2-4E8F-B7F0-DFC560FBD1E5%7D&View=%7B2D9F0DE8-E16E-4DCF-A02E-8FF1348B8ADB%7D&ViewCount=0&IsXslView=TRUE&IsCSR=TRUE&IsRibbon=TRUE&Cmd=EcbView)). Parent No
    Name=Request (POST:https://komra-vm1.ca.com:443/_layouts/15/inplview.aspx?List=%7B8B43B880-F7B2-4E8F-B7F0-DFC560FBD1E5%7D&View=%7B2D9F0DE8-E16E-4DCF-A02E-8FF1348B8ADB%7D&ViewCount=0&IsXslView=TRUE&IsCSR=TRUE&IsRibbon=TRUE&Cmd=EcbView) 44bd219c-710e-f0d5-b916-f7e75e634276
    Non-OAuth request. IsAuthenticated=True, UserIdentityName=0?.t|smtip|paaaaa, ClaimsCount=14 44bd219c-710e-f0d5-b916-f7e75e634276
    Site=/ 44bd219c-710e-f0d5-b916-f7e75e634276
    SPShareByLinkHandler.IsShareableByLink : ShareByLink disabled at SPSite or tenant level 44bd219c-710e-f0d5-b916-f7e75e634276
    SPShareByLinkHandler.CanManageSharingLinkForNewDocument : container is not shareable 44bd219c-710e-f0d5-b916-f7e75e634276
    Leaving Monitored Scope (Request (POST:https://komra-vm1.ca.com:443/_layouts/15/inplview.aspx?List=%7B8B43B880-F7B2-4E8F-B7F0-DFC560FBD1E5%7D&View=%7B2D9F0DE8-E16E-4DCF-A02E-8FF1348B8ADB%7D&ViewCount=0&IsXslView=TRUE&IsCSR=TRUE&IsRibbon=TRUE&Cmd=EcbView)). Execution Time=31.6822389437764 44bd219c-710e-f0d5-b916-f7e75e634276
    Entering monitored scope (Request (GET:https://komra-vm1.ca.com:443/_layouts/15/WopiFrame.aspx?sourcedoc=%2FShared%20Documents%2FChange%20orcladmin%20password%2Edocx&action=interactivepreview&wdSmallView=1)). Parent No
    Name=Request (GET:https://komra-vm1.ca.com:443/_layouts/15/WopiFrame.aspx?sourcedoc=%2FShared%20Documents%2FChange%20orcladmin%20password%2Edocx&action=interactivepreview&wdSmallView=1) 44bd219c-a12e-f0d5-b916-f51ae9156631
    Non-OAuth request. IsAuthenticated=True, UserIdentityName=0?.t|smtip|paaaaa, ClaimsCount=14 44bd219c-a12e-f0d5-b916-f51ae9156631
    Site=/ 44bd219c-a12e-f0d5-b916-f51ae9156631
    Entering monitored scope (Request (POST:https://komra-vm1.ca.com:443/_vti_bin/client.svc/ProcessQuery)). Parent No
    Name=Request (POST:https://komra-vm1.ca.com:443/_vti_bin/client.svc/ProcessQuery) 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token 44bd219c-a12e-f0d5-b916-f51ae9156631
    Non-OAuth request. IsAuthenticated=True, UserIdentityName=0?.t|smtip|paaaaa, ClaimsCount=14 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    Begin CSOM Request ManagedThreadId=30, NativeThreadId=8640 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    Site=/ 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    serviceHost_RequestExecuting 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    WcfSendRequest: RemoteAddress: 'net.pipe://localhost/SecurityTokenServiceApplication/appsts.svc' Channel: 'Microsoft.SharePoint.IdentityServices.IApplicationSecurityTokenServiceContract' Action: 'http://schemas.microsoft.com/sharepoint/2011/05/securitytokenservice/IApplicationSecurityTokenServiceContract/Issue' MessageId: 'urn:uuid:805ea06c-4518-4482-9cd2-deab2b103659' 44bd219c-a12e-f0d5-b916-f51ae9156631
    Entering monitored scope (ExecuteWcfServerOperation). Parent No
    WcfReceiveRequest: LocalAddress: 'net.pipe://goyne01-sp.spfarm.com/SecurityTokenServiceApplication/appsts.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://schemas.microsoft.com/sharepoint/2011/05/securitytokenservice/IApplicationSecurityTokenServiceContract/Issue' MessageId: 'urn:uuid:805ea06c-4518-4482-9cd2-deab2b103659' 44bd219c-a12e-f0d5-b916-f51ae9156631
    Leaving Monitored Scope (ExecuteWcfServerOperation). Execution Time=10.0448520691876 44bd219c-a12e-f0d5-b916-f51ae9156631
    Leaving Monitored Scope (EnsureListItemsData). Execution Time=18.6900849130267 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    Self-issued token request for 'wopi/komra-vm1.ca.com@d085ebe7-c78c-402b-890a-fc3d27651d5f' succeeded. 44bd219c-a12e-f0d5-b916-f51ae9156631
    Leaving Monitored Scope (EnsureListItemsData). Execution Time=13.896179542372 44bd219c-a12e-f0d5-b916-f51ae9156631
    Leaving Monitored Scope (Microsoft.SharePoint.SPObjectSharingInformation.GetListItemSharingInformation). Execution Time=40.8808940801135 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    serviceHost_RequestExecuted 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    End CSOM Request. Duration=50 milliseconds. 44bd219c-a12e-f0d5-b916-f0d1cb22b3ae
    Leaving Monitored Scope (Request (GET:https://komra-vm1.ca.com:443/_layouts/15/WopiFrame.aspx?sourcedoc=%2FShared%20Documents%2FChange%20orcladmin%20password%2Edocx&action=interactivepreview&wdSmallView=1)). Execution Time=66.666014814732 44bd219c-a12e-f0d5-b916-f51ae9156631

    ##########################################

    I would like to understand what these lines mean and does it have any bearing on the Office Web Apps Integration not working.

    1. SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token.

    2. ShareByLink disabled at SPSite or tenant level.

    We are using Claim Based Authentication Model with Trusted Identity Provider configured. All our URLs are on https.

    Also attaching the sequence of commands executed so that it could be understood as to what has been done so far.

    ####################################

    WebApp Server Side:-                  http://technet.microsoft.com/en-us/library/jj219455.aspx

     

    New-OfficeWebAppsFarm -InternalUrl "https://goyne01-sql" -ExternalUrl "https://goyne01-sql.spfarm.com" –CertificateName "goyne01-sql" -EditingEnabled

    %systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru

    iisreset /restart /noforce

    Now access https://goyne01-sql.spfarm.com/hosting/discovery and the page opens up with the details.

    SharePoint Server side:-              http://technet.microsoft.com/en-us/library/ff431687.aspx

    New-SPWOPIBinding -ServerName "https://goyne01-sql.spfarm.com"

    Get-SPWOPIZone (results was internal-https)

    ####################################

    Thanks

    Hubert



    Monday, June 3, 2013 11:19 AM

All replies

  • Hello

    Can you verify the claims to windows token service is running? 


    MCITP-EA | I really like cheese.. no, I really do

    Monday, June 3, 2013 2:42 PM
  • I have the same experience (just at http) 

    I can see the live preview  at the document library - but in the search center - I get errors...  


    • Edited by JmATK Wednesday, October 9, 2013 5:51 AM
    Wednesday, October 9, 2013 5:46 AM
  • I have claims to windows token service started automatic, has been.  Using HTTP in development environment.

    EDITED - Added server info!  Server 2012 on both WFE / APP (single server) and OfficeWebAPps2012 (DIFFERENT SERVERS), and SharePoint 2013 Enterprise Edition is August 2013 CU.  I also have EnableEdit (True) for the powershell command.


    • Edited by Matthew Carter Thursday, October 24, 2013 5:12 PM Added server info.
    Thursday, October 24, 2013 5:11 PM
  • I have seen the same issue in our environment. I solved it by putting the name of the web apps and the name of the office web apps server and their ip addresses in the host file of the SharePoint wfe and app servers. We already had this information in DNS in Active Directory but putting the ip address of the web apps in the host file solved it. Also see if putting the web apps for SharePoint in the trusted sites in IE helps you.
    Thursday, November 21, 2013 5:18 PM
  • Hi there

    I am getting same error. I followed instructions per MS Technet article. Did you resolved it Hubert?

    I am using http for binding in the test environment. The claims to windows token service is running. OWA server is showing Healthy. I am able to ping the discovery xml. What am I missing?

    Help please.


    Khushi

    Tuesday, April 1, 2014 7:29 PM
  • Done the DNS part 

    Still I can see the live preview  at the document library level - but in the result page in the search center - I get no preview...

    Anyone?  

    Friday, April 4, 2014 11:35 AM
  • If you are using Http rather than https, did you do 

    -AllowHttp

    when you set it up? On both ends - when building the OWA server and when doing the

    New-SPWOPIBinding -ServerName <WacServerName> -AllowHTTP

    It's also worth checking you have a certificate on the OWA server with the Fully name in the "SAN" field - lots of people miss that little gotcha.

    Have a look at this blog post for more ideas (including zones):

    http://www.c-sharpcorner.com/UploadFile/Roji.Joy/configure-office-web-apps-for-sharepoint-2013-part-ii/



    Monday, April 7, 2014 5:00 PM
  • Yes to the allow http  - It Works fine within the document libary - but not on the results page..

    what's about the "It's also worth checking you have a certificate on the OWA server"

    can you elaborate on this?

    • Edited by JmATK Monday, April 7, 2014 7:43 PM
    Monday, April 7, 2014 7:39 PM
  • Sorry, something up with my editor.  Yes, worth checking that your have an SSL certificate on your OWA server which includes the Fully Qualified Name of the server in the "Subject Alternate Access" field, and that you have imported that certificate into your Sharepoint server.  

    It shouldn't make a difference, but it won't hurt.  You can generate a certificate yourself on Server 2012 using

    New-SelfSignedCertificate -DnsName yourdomain, internaldomain, internetalIP

    Can you try with Chrome instead of IE to see if there is a better error message?


    Tuesday, April 8, 2014 12:56 PM
  • Hi Peter - I did allow http. I am not just able to preview but I even couldn't open the document. It's giving the same error when I checked with the correlation Id. Note: We had upgraded from 2010. It is not fresh site. I created a new web application and tried same error there too. Also, have confusion about the Certificate. I was under impression that the need to configure the certificate if it is a https environment. Do the above commands need to perform even if we are using http?

    Regards,

    Khushi


    Khushi

    Tuesday, April 8, 2014 3:41 PM
  • Correct to certificates, however, as it costs nothing to create a self-signed one I would be included to do so since it eliminates one potential hidden glitch.  

    What errors do you have in your regular event log?

    Tuesday, April 8, 2014 3:47 PM
  • There are no errors in Windows log. I can see below error in ULS. 

    Name=Request (GET:<Error>/_layouts/15/WopiFrame.aspx?sourcedoc=/IS%20Documents/Intranet%20FAQs.doc&action=default)
    Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|<DomainName>\<UserName>, ClaimsCount=26
    Site=/
    SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token
    SPShareByLinkHandler.Initialize : Not a ShareByLink request - missing access token
    Exception occurred while creating an SPIdentityContext from SPUserToken '374fb4d80000000034000000efeeebea030000000c00000000000000dfdedbda0100000000000000010100000000000000000000'. System.NotSupportedException: Can not create an identity context for system account user token.     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser) StackTrace:  at onetnative.dll: (sig=6aba1f5f-ccc4-4590-af00-b8ffe7fe99a0|2|onetnative.pdb, offset=28BE6) at onetnative.dll: (offset=152A9)
    Watson bucket parameters: Microsoft SharePoint Foundation 4, ULSException14, 269cd32d "sharepoint foundation", 0f001144 "15.0.4420.0", 1f65804a "microsoft.sharepoint", 0f001144 "15.0.4420.0", 506723c5 "sat sep 29 11:37:25 2012", 0000a264 "0000a264", 00000036 "00000036", 760a1423 "notsupportedexception", 0025a392 "aj0os"
    [Forced due to logging gap, cached @ 03/18/2014 14:23:35.73, Original Level: Verbose] Issuing loopback token for SPUser for endpoint '{0}'.
    WOPIFrame - Unhandled exception: System.NotSupportedException: Can not create an identity context for system account user token.     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser)     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUser user)     at Microsoft.SharePoint.IdentityModel.OAuth2.SPOAuth2SecurityTokenManager.IssueLoopbackTokenString(Uri endpointAddress, SPUser user, String applicationContext, DateTime& validTo)     at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPWeb web, Guid uniqueId, String proofKeyId, SPUrlZone zone, SPBasePermissions perms, Boolean hasEditLicense, Int64& ttl)     at Microsoft.SharePoint.Utilities.SPWOPIHost.GetAccessToken(SPFile file, String proofKeyId, SPUrlZone zone, Int64& ttl)     at Microsoft.SharePoint.Utilities.SPWOPIHost.GetWOPITargetInternal(HttpContext httpContext, SPWeb web, Object& spPrimeObject, SPWOPIAction& requestedAction, SPRegionalSettings spSettings, String& wopiAppUrl, String& wopiFavIconUrl, String& wopiAccessToken, Int64& wopiAccessTokenTtl, String& errorMessageToDisplay, String& redirectUrl)     at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoadHelper(WOPIFrame frame)     at Microsoft.SharePoint.ApplicationPages.WOPIFrameHelper.OnLoad(WOPIFrame frame)
    [Forced due to logging gap, Original Level: Verbose] desiredVersion: {0}
    An error has occurred on the server.
    Leaving Monitored Scope (Request (GET:http://<SiteUrl>/_layouts/15/WopiFrame.aspx?sourcedoc=/IS%20Documents/Intranet%20FAQs.doc&action=default)). Execution Time=256.644350050076

    Thanks,


    Khushi

    Tuesday, April 8, 2014 7:58 PM
  • Was this ever solved? Im having the same issues as Khushi.
    Tuesday, February 17, 2015 9:14 PM
  • No Beth. I never get it working. 

    Regards,


    Khushi

    Tuesday, February 17, 2015 9:22 PM
  • We are experiencing the same issue over http. Has anyone found a solution?

    Collin

    Wednesday, March 11, 2015 12:55 PM
  • Try this article from Wictor Wilen (this guy is a genius !!) on how to setup OWA:

    http://www.askwictor.com/spc14-scripts-for-mastering-office-web-apps-2013-operations-and-deployments

    Hope this helps.

    Thanks

    • Proposed as answer by JmATK Sunday, March 15, 2015 7:34 AM
    Wednesday, March 11, 2015 5:01 PM
  • Hello.

    I have the same error =) BUT! Here is what I found for me:

    I have this error only if i use admin farm account. If i use another domain user account everything is ok... I dont know why....

    Tuesday, August 11, 2015 9:15 AM
  • It's is by design that it will not work for admin farm account. It'll work only for normal domain user accounts.

    Hope this clarifies.


    Thanks Mohit

    Tuesday, August 11, 2015 9:20 AM
  • Thanks for reply!
    Tuesday, August 11, 2015 10:10 AM
  • Please find below step by step to overcome this error:

    After Installation of OWA(Office Web App):

    Please do this steps:

    1. Open a Windows PowerShell prompt and run this command on OWA Server ( New-OfficeWebAppsFarm –InternalURL "http://OWAServerName" –AllowHttp -EditingEnabled)

    2. Now connect to SharePoint Server and open SharePoint 2013 Management Shell. Enter this command (New-SPWOPIBinding -ServerName OWAServerName –AllowHTTP)

    2. Verify WOPI zone by this Windows PowerShell command on OWA server "Get-SPWOPIZone".

    3. If WOPI Zone is "Internal-https" replace it with this powershell command (Set-SPWOPIZone –zone “internal-http”).

    4. Verify WOPI zone again by this Windows PowerShell command on OWA Server "Get-SPWOPIZone". It should be "Internal-http".

    5  Verify OAuth over HTTP by this windows powershell command (Get-SPSecurityTokenServiceConfig).AllowOAuthOverHttp. If it's    showing "False" then run this command to set it to "True".
    $config = (Get-SPSecurityTokenServiceConfig)
    $config.AllowOAuthOverHttp = $true
    $config.Update()
    Now verify again by running this command ((Get-SPSecurityTokenServiceConfig).AllowOAuthOverHttp).

    6. Verify "Claim to Window Token Service" is running on the SharePoint server.

    7. Verify "Net.Pipe Listener Adapter" Service is running on the SharePoint server.

    8. Now upload any document on SharePoint site and view in browser.


    As i had successfully install and configured OWA and showing all office document in browser without any error...!!!



    Monday, September 14, 2015 10:32 AM
  • Ha! Old post, but thanks Andrew N. ! Just goes to show that sometimes it's worth digging down through all of the posts, not just the answer.
    Wednesday, February 15, 2017 3:34 PM
  • If we will use Fam Admin or any service account the functionality will not work. 

    Please use any user account to test. 


    Rajesh

    Monday, May 27, 2019 9:25 AM
  • If you are using any system account it would not work.

    use user account it would work

    Monday, December 2, 2019 9:30 AM