Hope the below document would be handy while troubleshooting the InfoPath cases with CLAIMS model.
This holds good for SPS 2010 as well.
We have 2 things to set up IPFS in SharePoint 2013 as it is forms based by default.
Step 1:
Create a new Secure Store Service application "APPID" (Say UPASSS).
Update the fields as per the below picture: (Ticket Timeout depends on org. requirements)
If you don’t choose Target Application Type as Group Ticket, none of the users apart from the user whose credential have been updated in the SSS APPID will be able to access the InfoPath form. This option "Group Ticket" enable us to specify ticket redeemers who usually be domain users. If you don’t select this option "IP will give you a descriptive error"
Explained: http://msdn.microsoft.com/en-us/library/ee554863(v=office.14).aspx
Please update the secure store administrator/membership details as per the below screen shot: (again as per your org. requirement)
Now, you have setup a key store credential which will be used to impersonate the user credentials:
(Windows username (Domain\User) and the password should be able to access the http://Site/_vti_bin/userprofileservice.asmx of the respective site).
We have completed setting up the Secure Store Service "APPID"
Step 2:
Create a blank new InfoPath form; add a data connection using GetUserProfilebyName by UNCHECKING the below option:
Convert the above created Data Connection (GetUserProfilebyName) as an UDCX file by selecting Relative to site collection and save it in the site Data Connection Library.
Download the copy and edit the below details and then upload it to the same library (Data connection library with the same name) : (UPASSA is your Secure Store APPID)
<udc:Authentication><udc:SSO AppId="UPASSA" CredentialType="NTLM" /> </udc:Authentication>
Now go to InfoPath form; Data>>Form Load rule, add the following 2 rules:
We are all set to use the form now on claims authentication:
Design your InfoPath form to pull the user profile information as you wish and publish it to the same site (site collection as we are using relative data connection).
Troubleshooting:
You are likely to face the below issues if you look at the ULS trace with the correlation ID:
- A certificate validation operation took 15013.6428 milliseconds and has exceeded the execution time threshold.
- Setup DisableLoopbackCheck value to 1 on all the WFEs (http://support.microsoft.com/kb/896861); Add crl.microsoft.com to 127.0.0.1 and add HOST file entry on each WFE in the farm pointing to itself to avoid the double hop issue. This applies to all the web applications that host the InfoPath form services and are making use of the web services.
Ex: Site: http://site.contoso.com
Host entry: 127.0.0.1 site.contoso.com- Run the below powershell script to export the SP RootCertificate:
$rootCertSP = (Get-SPCertificateAuthority).RootCertificate
$rootCertSP.Export("Cer") | Set-Content C:\rootCertSP.cer –Encoding Byte
- Upload this certificate to Trusted Root Certification Authorities of the computer account.
- Data adapter failed during OnLoad: The remote server returned an error: (500) Internal Server Error. A user with the account name system could not be found. ---> An error was encountered while retrieving the user profile. UserCannotBeFoundAn error was encountered while retrieving the user profile.
- This happens when the account that you are trying to use is a SYSTEM ACCOUNT (due to name space query) / an account that cannot be found.
- The following data connection (GetUserProfileByName) has exceeded the maximum configured time limit. This threshold can be configured by using the SPIPFormsService -MaxDataConnectionRoundTrip PowerShell commandlet
The following query failed: GetUserProfileByName (User: 0#.w|rajeev\administrator, Form Name: Repro-sp2013, IP: , Connection Target: http://sp2013-1r/DCL/GetUserProfileByName.udcx, Request: http://sp2013-1r/_layouts/15/FormServer.aspx?XsnLocation=http://sp2013-1r/Reprosp2013/Forms/template.xsn&SaveLocation=http://sp2013-1r/Reprosp2013&ClientInstalled=false&DefaultItemOpen=1&Source=http://sp2013-1r/Reprosp2013/Forms/AllItems.aspx, Form ID: urn:schemas-microsoft-com:office:infopath:Repro-sp2013:-myXSD-2013-07-09T06-28-47 Type: DataAdapterException, Exception Message: Authentication information in the UDC file could not be used for this connection because user forms are not allowed to use UDC authentication. To change this settings, use the InfoPath Forms Services configuration page in SharePoint Central Admin.)
- Both the above settings have to be changed on the CA site. Go to the Configure InfoPath Forms Services section and enable Allow user form templates to use authentication information contained in data connection files and tweak the Data Connection Timeouts
- UDCX file can be configured with the following authentication methods:
Sql
NTLM
Negotiate
CD
Basic
Digest
Explained UDCX : http://msdn.microsoft.com/en-us/library/ee554863(v=office.14).aspx
- InfoPath also depends on the State Service and you may see the below error while opening the form:
Form render failed because the user's session was closed StackTrace:
at Microsoft.Office.InfoPath.Server.Controls.XmlFormView.RenderForm(HtmlTextWriter writer)
at Microsoft.Office.InfoPath.Server.Controls.XmlFormView.RenderContents(HtmlTextWriter writer
Please check the state service database and make sure that the InfoPath is able to use it. You can get the specific error details by getting verbose ULS logs.
Explained: http://technet.microsoft.com/en-us/library/ee704548(v=office.14).aspx
Ps: Always try with a user account to test the behavior.