Saturday, December 10, 2011

Synchronisation issue with SharePoint FBA claims-based

In a SharePoint 2010 extranet I apply a custom membership provider for Forms-Based Authentication. The provider works like a charm, external users are authenticated when logging on with valid credentials, and denied access otherwise.
However, after functioning smoothly for a while, we suddenly encountered the error below when trying to logon via FBA:
[FaultException`1: The context has expired and can no longer be used. (Exception from HRESULT: 0x80090317)]
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) +1161205
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +73
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26060225
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +26063596
Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
System.Web.UI.WebControls.Login.AttemptLogin() +152
Logon via Windows authentication had no problem, only the FBA route. Since there had been no software or configuration changes for the custom provider, the cause must be found to be at [SharePoint Farm] infra level. In the Application Eventlog I noticed the following Error log: An exception occurred when trying to issue security token: The context has expired and can no longer be used. (Exception from HRESULT: 0x80090317).
This steered me within the direction of the generic Security Token handling in the farm, instead of the context of the extranet webapplication self. As first attempt I decided to restart the SecureToken Service Application. And voila, this was already sufficient: problem resolved. That is, for a while... The problem namely structural reappears after a couple of days of minor or no activity in the SharePoint farm. It looks to me as something of a clock timer synchronization issue within the SharePoint farm, that can for a period be prevented by timely 'refreshing' the SecureToken application pool.

Friday, December 9, 2011

Exposing business information of SAP workflow via Duet Enterprise

Often a SAP workflow includes specific business data. This data is needed at the decision moments within the workflow to make an informed decision. And thus also needed within the SharePoint context if the workflow decision step is exposed there via Duet Enterprise workflow handling.
As the default Duet Enterprise workflow handling is a generic set-up, it is evident that it cannot provide direct support for all imaginable and variant occurences of specific business data. Instead there are hooks in the workflow pipeline in which you can plug-in custom extensions for exchanging workflow specific/contextual data from SAP backend to SharePoint frontend. You need to build a custom workflow outbound handler to transfer the contextual SAP business data from SAP workflow to SharePoint via Duet Enterprise workflow feature. Herein you have 2 options.

Expose business data in the format of static HTML or XML content

In this approach the additional workflow information is added to the SAP workitem-details (SOSP_TT_WF_RUNTIME_INFO). The Duet Enterprise system dataflow is as follows:
SAP ERPOutbound handlerExtend or replace the workitem details that are propagated via Duet Enterprise workflow capability, with pre-formatted business content (XML or HTML)
SCLNo action
SharePointTaskformIF HTML: simple display
IF XML: Xslt-transformation, preceeding display

Expose business data in the format of XML payload

In this approach the additional workflow information is passed via the XPROP key-value structure delivered with Duet Enterprise workflow handling at the SAP side. The Duet Enterprise system dataflow is as follows:
SAP ERPOutbound handlerPopulate the Duet Enterprise key-value XPROP structure with the required business properties (name => value; eg ‘CustomerId’ => ‘02345’)
The business property values are retrieved from the SAP workflow container.
SCLConfigurationRegister EACH individual XPROP business property at the associated workflow template
SharePointConfigRegister EACH individual XPROP business property as external/extended business property at the task definition in the Duet Enterprise workflow subsite
SharePointWorkflowExtend the ‘Approval task screen’ to render the additional business data properties [extend standard taskform via SharePoint Designer or via InfoPath]

Decide between the 2 approaches

Both options are viable to expose specific SAP business data to Microsoft SharePoint and Outlook context. Which is most appropriate depends on the characteristics of both the data, and what will be done with it within the Microsoft front-end. If it will only be displayed, it may be best to use the approach to expose it as single set of XML or HTML content; and then directly or via Xslt render within the UI. If the data is also needed within the front-end for additional processing, it is properly better to expose the data properties individual.