Calling external service or external systems with windows authentication from SharePoint Webparts/Pages

Let’s take the assumption that the external service or external system (SQL Server) in the problem accepts windows authentication and the SharePoint web application is configured to use claims mode authentication.  The following post I describe is applicable when you have the assumptions met.

You get 401 unauthorized when you call any external service/system such as WCF, Web API, SQL server etc. from the web part/page. We know that the code inside web part is run with logged in user permissions.  Say, for example, I have code in web part that writes to a SharePoint list. If the logged in user doesn’t have permission, the code fails. This example is mentioned only to emphasize the well-known point that the code runs with logged in user permissions.

When a call is made to external service, I’m not sure which user account is used to authenticate to the service. I couldn’t wrap my head around it in the short time I’ve analyzed the issue. I am curious to know the underpinnings of this authentication and IIS impersonation, so I hope to publish another post on that.

Let’s come to the point why we get 401 unauthorized. SharePoint web part code has claims token of the logged in user or the app pool account. In claims mode, SharePoint only has claims token of the user. When it requests external service, it sends the claims token but the external service as we said in the start accepts only windows token and it can’t understand the authentication information it receives and fails to authenticate and thus we see response status code 401.

The root cause of this problem hints us about the resolution too. We have claims token of the logged in user, convert it to windows token and send that token to the service. That’s it about the resolution. We must have a successful request now.  In theory, this is it. Basically, in claims mode, the WindowsIdentity of the user does not exist because it is created as  IClaimsIdentity (that is, in .NET 3.5, an interface that inherits IIdentity). For this reason, developer must call a special .NET WCF service called C2WTS (claims to windows token service) that will return a WindowsIdentity that can be used for delegation.

Now let’s see the meat (i.e. the code)

public static WindowsIdentity GetWindowsIdentityForCurrentClaimUser()
    IClaimsIdentity identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
    string upn = null; 
    if (identity != null)
          foreach (var claim in identity.Claims)
          {                  if(StringComparer.Ordinal.Equals(System.IdentityModel.Claims.ClaimTypes.Upn, claim.ClaimType))
                        upn = claim.Value;
            WindowsIdentity windowsIdentity = null;

            if (!String.IsNullOrEmpty(upn))
                        windowsIdentity = S4UClient.UpnLogon(upn);
                catch (SecurityAccessDeniedException e)
            return windowsIdentity;

The above method returns WindowsIdentity (windows token). The following is the way to call web service under windows impersonation context.

using (WindowsImpersonationContext ctxt = Utility.GetWindowsIdentityForCurrentClaimUser.Impersonate())
	//Call the web service here...

OWAS 2013 with SharePoint server 2013

This post, I would like to discuss about how to install OWAS 2013 (Office Web Apps Server) and configure SharePoint Server 2013 to use it.

What do we get with it?
OWAS 2013 is responsible for the document preview and edit in SharePoint server 2013. Besides SharePoint server, OWAS 2013 can be leveraged by Lync 2013 and Exchange 2013.

About OWAS 2013
OWAS 2013 can’t be installed as a service on SharePoint server. It should be installed as a standalone server. No other server products like SQL, SharePoint, Lync, Exchange, and Office etc. should be installed on the same server that OWAS 2013 is installed on. OWAS 2013 can be installed only on Windows server 2012 and 2008 R2. This can’t be installed on Server 2008 (You need R2).

The following is a snapshot taken from Technet ( which depicts the steps involved in setting up OWAS and any host that uses it.

Steps to deploy OWAS

Steps to be done on OWAS server
1) OWAS Download and Install
2) Setup OWAS

Steps to be done on SharePoint server
1) Configure with OWAS

OWAS Download and Install
You can download it from the link below and follow the instructions mentioned there. Installation is pretty simple.

Setup OWAS
The following PowerShell cmdlets help you create Office Web apps farm once OWAS server is installed.
Use either of the following two cmdlets. Use Https cmdlet if you want that support.

New-OfficeWebAppsFarm –InternalURL "" –AllowHttp –EditingEnabled - FQDN of server

New-OfficeWebAppsFarm -InternalUrl "" -ExternalUrl "" -CertificateName "SpWorksOWAS" –EditingEnabled

If Windows PowerShell doesn’t recognize “New-OfficeWebAppsFarm” cmdlet, you need to import the corresponding module by running the following command.
Import-Module –Name “OfficeWebApps”

Before you proceed to SharePoint server verify that OWAS is working with the following url.
http://servername/hosting/discovery (server name is the “internal url” given when setting up Office Web Apps server). If OWAS is properly configured, you’ll see the following xml.

SharePoint Server configuration with OWAS
Run the SharePoint Management shell as administrator.
Run the following commands.
The following command helps set the WOPI binding with OWAS
New-SPWOPIBinding -ServerName ""

Set the SPWOPIZone to internal-http


Set-SPWOPIZone -zone "internal-http"


$config = (Get-SPSecurityTokenServiceConfig)
$config.AllowOAuthOverHttp = $true

Now SharePoint document preview and editing should be working.

Plan Office Web Apps Server

Configure OWAS for SharePoint 2013

Deploy OWAS

Introduction to PowerShell in SharePoint

We all know the importance of PowerShell in SharePoint. For SharePoint developers and Administrators PowerShell has become a compulsory skill to have. I am trying to put some of the frequently used PowerShell cmdlets in this post for a quick reference.

If you are running these cmdlets in SharePoint management shell, they work fine. However if you are running them in PowerShell window, you are supposed to add SharePoint PowerShell snap in.

Add-PsSnapin Microsoft.SharePoint.PowerShell

Creating/removing sites :


Eg: New-SPSite http://<sitename>/sites/test -OwnerAlias "DOMAIN\user" -Language 1033

This example creates an English site collection at http://<sitename>/sites/test that is owned by user DOMAIN\user.


Eg:  New-SPWeb http://somesite/subweb1 -Template "STS#0"

This example creates a new subsite by using the Team Site template at the provided URL (http://somesite/subweb1). The Team Site template is a value referenced as the variable STS#0 for the Template parameter.


Eg: Remove-SPSite -Identity "http://sitename" -GradualDelete -Confirm:$False

This example removes the given site collection and all included sites by using GradualDelete; confirmation has been suppressed. If you want to delete a site collection right off without throwing it into the deletion queue use PowerShell with Gradualdelete = false option

Eg: Remove-SPSite -Identity "http://sitename" –GradualDelete:$False


Eg: Remove-SPWeb http://sitename/subsite

This example completely deletes a subsite.Deleting the top level Web site of a site collection causes the entire site collection to be removed.

SharePoint solution packages (wsp) : 


Eg: Add-SPSolution “C:\SPSolutions\CustomSolution.wsp”


Eg: Install-SPSolution –Identity MySharePointSolution.wsp –WebApplication  http://webapp –GACDeployment


Eg: Update-SPSolution –Identity customsolution.wsp –LiteralPath “C:\SPSolutions\CustomSolution.wsp” –GacDeployment


Eg: Uninstall-SPSolution –Identity CustomSolution.wsp –WebApplication  http://webapp


Eg: Remove-SPSolution –Identity  CustomSolution.wsp

SharePoint Features:


Eg: Enable-SPFeature -identity "CustomFeature" -URL http://somesite

This example enables the ” CustomFeature ” site scoped SharePoint Feature at http://somesite. Enable-SPFeature cmdlet enables an installed feature at the given scope. If the feature is a farm feature, no URL is needed. Otherwise, provide the URL where the feature is to be enabled and it will be enabled at the proper scope based on the Feature definition.


Eg: Disable-SPFeature -identity " CustomFeature " -URL http://somesite 
This example disables the ” CustomFeature ” Web site scoped feature at http://somesite.


Eg: Get-SPFeature -Limit ALL | Where-Object {$_.Scope -eq "SITE"} 
This example returns a list of all installed site scoped Features.

SharePoint Services:


The Get-SPServiceInstance cmdlet returns the service instance specified by the Identity parameter for a specific server. If the Server parameter is not specified, the Get-SPServiceInstance cmdlet returns results for the entire farm.

Eg : Get-SPServiceInstance -Server ServerA Eg: Get-SPServiceInstance  -Identity GUID


Eg: Start-SPServiceInstance 67877d63-bff4-4521-867a-ef4979ba07ce

This example starts the given service instance on the server


Eg: Stop-SPServiceInstance 67877d63-bff4-4521-867a-ef4979ba07ce

This example stops the service instance in the given server.


Eg: Get-SPServiceApplication

This example returns all service applications in the farm

Eg: Get-SPServiceApplication -Identity e2c2be70-6382-4ce7-8a44-ae7dadff5597

This example returns the service application that has the Identity “e2c2be70-6382-4ce7-8a44-ae7dadff5597”.

Eg: Get-SPServiceApplication -Name AccountingServiceApp

This example returns the service application that has the friendly name “AccountingServiceApp”.


Use the Set-SPServiceApplication cmdlet to set various properties of a service application such as the default endpoint, and the application pool used by the service application.


$serviceapp = Get-SPServiceApplication "My Service App"

Set-SPServiceApplication $serviceapp -DefaultEndpoint https

This example sets the default endpoint of the service application to be https.



Caml query error… one or more field types are not installed properly

This error message is misleading. When we get this error, there’s something wrong with our viewxml. I have encountered this error two times. Once it was some extra single quote or missing quote. Second time it was wrong field name. Actually the field name i mentioned in <ViewFields> is not present in the list. If you guys encounter this error on different occasions, please put it in comments

Remote debugging Azure hosted remote event receiver or SharePoint App

I assume that you have a provider hosted app (Remote event receiver) hosted on Azure and you know how to write remote event receivers. I want to explain here how to debug azure hosted remote event receiver from your VS 2013 (Not sure if this works in VS 2012 without any changes) sitting on your development server.

How to do (In a nutshell)

  • Create Service bus (ACS authenticated) namespace in Azure
  • Specify the connection string of service bus in SharePoint App project properties
  • Attach Debugger to Azure website (Provider hosted app) from Server Explorer inside VS.

How to do (In Detail)

Create Service Bus namespace in Azure

Azure service bus helps in remote debugging provider hosted app and remote event receiver. So let’s create one in Azure. Wait, There’s a catch here.  Azure is recently modified to create SAS (Shared Access Signature) authenticated Service bus by default. SAS authenticated service bus is not compatible with debugging remote event receivers. So we need an Active directory ACS authenticated service bus. We can not do it from azure portal. However we can do it from Azure PowerShell.  So we need to install Azure PowerShell in our development environment. Download it from here .

Once installed, launch it and follow the steps below.


You’ll be prompted to enter credentials to azure subscription




Lists all your subscriptions for that credentials



Select-azuresubscription “subscription name”

Selects the subscription where you want to create service bus



new-azuresbnamespace “name” “Region” –createacsnamespace $true –namespacetype  Messaging

creates a service bus namespace.  Choose a unique name for service bus namespace and region of your choice and namespace type Messaging. Createacsnamespace $true will create ACS authenticated instance. On successful creation, you’ll see the details of the service bus namespace. Copy the connection string and we will mention that in SharePoint app properties.



Changes in SharePoint App properties

Open Properties window of SharePoint app project in VS 2013. Go to SharePoint tab and give the connection string as shown below. Choose enable debugging.

SharePoint App Project Debug properties

SharePoint App Project Debug properties

Attach Debugger

Open server explorer in VS. Under Azure node, right click your website that hosts provider hosted app/ RER, click attach debugger. I wanted to debug “Item added” event and debug went successfully.

JSLink SharePoint 2013

Introduction :

JSLink is a new javascript,HTML and CSS based approach to customize the look of a list view webpart, SharePoint list forms(New,Edit,View) and it controls the rendering of fields as well. JSLink is introduced with SharePoint 2013.

This article, we’ll learn how to customize the list view webpart rendering with JSLink. This article will only scratch the surface by explaining only the basic things to get the reader started working with JSLink.

The list view that we are going to customize is based on “Tasks” list template. I could have chosen a simple custom list to keep the technical implementation simple; Yet I am convinced with the visually appealing  customization that I can achieve with “% Complete” field in Tasks list. Let’s see first Tasks list with CSR applied and without it.

Without CSR 

Snapshot of List view webpart without JSLink

With CSR 


Simple steps to get this working

  • Custom javascript (This is the that holds CSR code )
  • Upload the file to a SharePoint library
  • Set JSLink property of list view webpart

Custom Script with CSR code :

(function () {
  1  var overrideCtx = {};
  2 overrideCtx.Templates = {};
  3 overrideCtx.Templates.Fields = {
        'PercentComplete': { 'View': renderPercentComplete }

  4  SPClientTemplates.TemplateManager.RegisterTemplateOverrides(overrideCtx);


Let’s try to understand the code.  In the first three lines, we try to create a Javascript object that helps us customize how the field renders. As we are only interested in customizing a single field (“%Complete”) Fields property of Templates object has reference only to that field.

This Fields property takes the format

“FieldName” : {“Scope” : Override}

FieldName  – Internal name of the filed

Scope  – When to override it. Allowed values are “View” , “DisplayForm”, “EditForm”, “NewForm”.

Override – text/html value . This can be a function that returns text/html.

It’s the fourth line that registers the overriding context object (overrideCtx) with TemplateManager.

In this case I chose to use a function that basically returns an html markup. This markup returned will replace the field value.

function renderPercentComplete(ctx) {

    var fieldVal = ctx.CurrentItem[ctx.CurrentFieldSchema.Name];
    var percentComplete = fieldVal.toString().replace(&amp;amp;quot; &amp;amp;quot;, &amp;amp;quot;&amp;amp;quot;);
    var mouseOver = 'this.childNodes[1].style.display=&amp;amp;quot;block&amp;amp;quot;;';
    var mouseOut = 'this.childNodes[1].style.display=&amp;amp;quot;none&amp;amp;quot;;';

    var html = '';
    html += &amp;amp;quot;&amp;amp;lt;div style='width:100%;height:20px;border:1px solid #AEAEAE;position:relative;'&amp;amp;quot;;
    html += &amp;amp;quot;class='csr-progress-container'onmouseover='&amp;amp;quot; + mouseOver + &amp;amp;quot;'onmouseout='&amp;amp;quot; + mouseOut + &amp;amp;quot;'&amp;amp;gt;&amp;amp;quot;;
    html += &amp;amp;quot;&amp;amp;lt;div style='background-color:#0072C6;height:100%;width:&amp;amp;quot; + percentComplete + &amp;amp;quot;;'&amp;amp;gt;&amp;amp;lt;/div&amp;amp;gt;&amp;amp;quot;;
    html += &amp;amp;quot;&amp;amp;lt;p style='width:100%;text-align:center;position:absolute;top:0px;left:0px;display:none;margin:0px;'&amp;amp;gt;&amp;amp;quot;;
    html += percentComplete;
    html += &amp;amp;quot;&amp;amp;lt;/p&amp;amp;gt;&amp;amp;quot;;
    html += &amp;amp;quot;&amp;amp;lt;/div&amp;amp;gt;&amp;amp;quot;;

    return html;

One thing to understand here is the function used for customization gets the overrideCtx object which is registered with TemplateManager. You can access lot of information from this object. Now we are good with writing custom javascript. I would say with this we are done with 95 pc of the job. The rest is just uploading and referring it through a webpart property.

Uploading to Master page Gallery :
We can upload this file to any library but many other articles suggests to do it in master page gallery and Display templates folder. I have tested it uploading to Style Library too. That worked fine.
When you are uploading it to master page gallery, choose Content Type to be “Javascript Display Template”. Target Control type to be “View” in this case, Standalone is “Overide” and Target Scope is
The relative url of the site to which you want this CSR implementation to be applied. There’s a catch here. I gave two different values to see how this works. One is “/” and other “/sites/ven”, It worked irrespective of what the value is. I don’t know now what’s the reason.

Set JSLINK property of WebPart:

Set JSLink webpart property to the file location of the javascript file.

“~sitecollection/_catalogs/masterpage/Display templates/TasksCSR.js”

But a mere /_catalogs/****/TasksCSR.js doesn’t work. Either of the following SharePoint tokens should be used.






Once you set the property , You should be able to see the result. If you don’t see the result yet, make sure you followed the steps right and happy debugging.