Access to Sharepoint 2019 OnPrem Web Services using NodeJS app

Aymeric de Montpellier 96 Reputation points
2020-03-26T17:24:06.64+00:00

Hi

In my company I/T has just set up a new Sharepoint 2019 OnPremise, that is hybrid, using Azure AD for authentication.

I'm a site collection admin for my Sharepoint site collection. Let's say the URL to Sharepoint is https://aymeric.sp.my-company.com (only accessible from inside our network).

When I access this URL I'm automatically redirected to https://login.microsoftonline.com/TENANT-ID/wsfed?wa=wsignin1.0&wtrealm=urn%3aSharepoint%3afederation&wctx=https%3a%2f%2faymeric.sp.my-company.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&wreply=https%3a%2f%2faymeric.sp.my-company.com%2f_trust%2fdefault.aspx&sso_nonce=AQABAAAAAABeAFzDwllzTYGDLh_qYbH87qVvvwM4pLiqYXloFo6Il7_-ry9WsQiAA&client-request-id=8dacdcfb-c68f-4ec2-a3e7-7760cecf3699&mscrid=8dacdcfb-c86f-4ec2-a3e7-7760cecf3699 – I'm automatically identified and redirected back to Sharepoint with the correct profile.

One of my I/T contact gave me the below information:

Now I'm trying to access to Sharepoint Web Services (like https://aymeric.sp.my-company.com/_vti_bin/UserProfileService.asmx or another one) using JavaScript and a Node app (node index.js). I'm using this technique with a Sharepoint 2013 OnProm and I have no issue: I just pass my credentials using https://github.com/s-KaiNet/node-sp-auth and it just works.

If I try to access the SP 2019 Web Services in the browser, it just works too.

But using a Node app with this Sharepoint Hybrid based on Azure AD I cannot find how to pass credentials… What to send? How to authenticate? Do I need to use an Azure AD App to connect to my Sharepoint OnProm? If yes, how to configure? Should I just send an "Authentication" header with a "Bearer" and an access token: if yes, how to get this access token?

Whatever I try (and I tried dozen and dozen of things) I always end with (in best cases) an error 403 "Access denied. You do not have permission to perform this action or access this resource.".

I discussed with my I/T contact and he doesn't know how to help. He told me to use a Sharepoint App of my site collection, and not an Azure App. But if I try to connect with a Sharepoint App I got "AADSTS700016: Application with identifier '2a919657-3f38-43d4-a6ac-3a9f4fdedf9e' was not found in the directory 'TENANT-ID'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

Any help would be appreciated.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,360 questions
0 comments No comments
{count} votes

Accepted answer
  1. Aymeric de Montpellier 96 Reputation points
    2020-04-10T13:03:33.517+00:00

    Finally, because I'm not a farm/server admin, my last option was to retrieve the FedAuth cookie that can be used in all requests to be recognized by Sharepoint.

    I've "just" mimicked the browser's behavior by creating a NodeJs script that reproduces all the required steps.

    10 calls including redirection, post form and Kerberos authentication are required to finally get the precious FedAuth cookie.

    0 comments No comments

0 additional answers

Sort by: Most helpful