InfoPath 2013 - UserProfileService.asmx and AllowAnonymousImpersonation

  • Article

Very often we have seen scenarios where we get feedback from InfoPath 2013 form users stating that they receive the famous "5566" error when they load the form with data connection to UserProfileService.asmx. And they would have configured Secure Store Service on theie SharePoint farm.

On careful analysis of the ULS logs, we would see the below set of events

<Date> <Time> w3wp.exe (0x56B4) 0x5C90 SharePoint Foundation Claims Authentication af32k Verbose Claims Windows Sign-In: Sending 401 for request 'https://<URL>/sites/<SiteCol>/_vti_bin/UserProfileService.asmx' because the user is not authenticated and resource requires authentication. 75ac479d-f749-e02e-50c3-3b02e00ebc1a

<Date> <Time> w3wp.exe (0x56B4) 0x5C90 SharePoint Foundation General b6p2 VerboseEx Sending HTTP response 401 - text/plain:401 UNAUTHORIZED. 75ac479d-f749-e02e-50c3-3b02e00ebc1a

Upon further investigation, we identified that the User was an anonymous user and to make it a normal authenticated user, we have to disable the below setting in the web.config of the respective web application

 

<appSettings>
        <add key="aspnet:AllowAnonymousImpersonation" value="false" />
    </appSettings>

OR disable the "Anonymous Access" in the IIS Level for the web application on the SharePoint Server.

However, from InfoPath application perspective we cannot comment on the implications of these changes on the SharePoint application level.

To successfully resolve this behavior, we need to make sure that the following recommendations are applied.

In the Secure Store Service, Target Application Type should have "GroupWithTicketing"

 

 

GroupWithTicketing:

Used for mapping all the members of one or more groups to a single set of credentials on the external system, and can issue tickets that can be later redeemed to get credentials by another account, which typically is a service account. The account that tries to redeem the ticket should be a member of the ticket redeemers of the target application

Make sure you have the following permissions applied accordingly,

Post this, you should be able to consume UserProfileService.asmx on your InfoPath Forms.