Share via

Azure AD App-Only access to Sharepoint using X509 certificate works for REST API, but for SOAP returns 401

Boris Rusinovic 96 Reputation points
2021-02-22T21:21:29.587+00:00

Hello,

I am updating the authentication section for our Java-based ERP integration framework with Sharepoint.
Following instructions from https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread I was able to code a Java solution that authenticates successfully with Azure AD and returns a Bearer access_token.
With the token I can invoke the REST API, but the problem is our legacy code that uses the SOAP asmx services.
Any attempt to use the Bearer token with SOAP api returns 401:

REST: 

GET https://<mytenant>.sharepoint.com/sites/Costpoint/_api/lists HTTP/1.1  
User-Agent: Fiddler  
Authorization: Bearer eyJ0eXAiOiJKV1Qi..  
cache-control: no-cache  
Host: <mytenant>.sharepoint.com  
Content-Length: 0  
  
HTTP/1.1 200 OK  
... and everything else as expected...

SOAP: 

POST https://<mytenant>.sharepoint.com/sites/Costpoint/_vti_bin/lists.asmx HTTP/1.1  
User-Agent: Fiddler  
Authorization: Bearer eyJ0eXAiOiJKV1....  
cache-control: no-cache  
Host: <mytenant>.sharepoint.com  
Content-Length: 252  
  
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"   
xmlns:soap="http://schemas.microsoft.com/sharepoint/soap/">  
   <soapenv:Header/>  
   <soapenv:Body>  
      <soap:GetListCollection/>  
   </soapenv:Body>  
</soapenv:Envelope>  



HTTP/1.1 401 Unauthorized  
Cache-Control: private  
Content-Type: application/soap+xml; charset=utf-8  
Server: Microsoft-IIS/10.0  
X-AspNet-Version: 4.0.30319  
SPRequestGuid: 8fdbad9f-d091-0000-9ec5-c9857aa00f5d  
request-id: 8fdbad9f-d091-0000-9ec5-c9857aa00f5d  
MS-CV: n63bj5HQAACexcmFeqAPXQ.0  
Strict-Transport-Security: max-age=31536000  
X-FRAME-OPTIONS: SAMEORIGIN  
SPRequestDuration: 42  
SPIisLatency: 1  
x-ms-suspended-features: features=""  
X-Powered-By: ASP.NET  
MicrosoftSharePointTeamServices: 16.0.0.21010  
X-Content-Type-Options: nosniff  
X-MS-InvokeApp: 1; RequireReadOnly  
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"  
WWW-Authenticate: Bearer realm="8bc2ff57-b5cd-4dba-9e07-cbd2bf6a2990",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b",authorization_uri="https://login.windows.net/common/oauth2/authorize"  
Date: Mon, 22 Feb 2021 21:01:33 GMT  
Content-Length: 0

Thank you for your response!

Boris Rusinovic

Microsoft 365 and Office | SharePoint | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amos Wu-MSFT 4,051 Reputation points
    2021-02-23T06:13:58.72+00:00

    SOAP cannot be authenticated with Azure AD token, we need to authenticate it with SharePoint Claims Authentication.
    References:
    Remote Authentication in SharePoint Online Using Claims-Based Authentication
    Similar issue for your reference:
    https://stackoverflow.com/questions/35502400/sharepoint-office-365-oauth-service-authentication-to-list-asmx

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.