Troubleshooting SharePoint connectivity
This article contains information on all known connectivity problems related to SharePoint servers (both SharePoint Online and its on-premises version) as well as possible solutions.
- Problems with configuring a connection to SharePoint Online
- Problems with configuring a connection to on-premises SharePoint server
- Other known SharePoint connectivity problems
Problems with configuring a connection to SharePoint Online
When configuring a connection to SharePoint Online, in the last step of the SharePoint Server connection wizard, CodeTwo Backup tries to enumerate SharePoint site collections and connect to one of them. The program also registers itself in Microsoft Entra ID (Azure Active Directory) of the tenant to which you are configuring the connection (applies only if you chose the Automatic registration option), attempts to authenticate itself with that Entra ID, and checks connections to Microsoft Graph API. If the program fails to perform any of these actions, it will display failure notifications (Fig. 1.).
Fig. 1. Failure notifications shown when configuring a connection to SharePoint Online.
Click the links below to learn about possible causes and solutions for each of these errors.
- Failed to connect to SharePoint
- Failed to register the application in Entra ID (Azure AD)
- Failed to authenticate the application
- Failed to connect to Microsoft Graph API
Failed to connect to SharePoint
Failed to connect to SharePoint using account '<admin_account>'. Make sure that you have entered the account credentials and server URLs correctly.
In case you get this message, double-check the details entered in the Server address and Admin's credentials steps of the connection wizard and try again. If multi-factor authentication is enabled for the provided admin account, make sure to use the app password instead of the regular Office 365 account password. Also, make sure that the admin account is assigned specific roles allowing access to SharePoint content (keep in mind that the propagation of admin rights in Office 365 usually takes some time). Finally, check your internet connection.
It is also possible that the support for non-modern (legacy) authentication protocols is disabled in your tenant. Enabling it may also solve the problem. Read more below
Exception: For security reasons DTD is prohibited in this XML document.
This problem is most likely caused by the DNS assistance service (also known as DNS hijacking or DNS redirection) used by your Internet Service Provider (ISP). Suggestions on how to troubleshoot this problem can be found in this Knowledge Base article.
The sign-in name or password does not match one in the Microsoft account system.
You will get this error if you have enabled multi-factor authentication (or Security defaults in the Azure Active Directory admin center) for the admin account used in the SharePoint Server connection wizard. To be able to use that account, you need to generate and use app password instead of a regular Office 365 password in the Admin credentials step of the wizard (or disable Security defaults).
Failed to connect to SharePoint. 'center' is an unexpected token. The expected token is '"' or '''. Line 7, position 12.
The most likely causes of the error are as follows:
- the UPN of the admin account used to connect to SharePoint Online contains special characters, for example - or _, or
- the admin account has abnormal/non-standard values defined in other properties.
There are two known solutions to the problem:
- Use the UPN with the default onmicrosoft.com domain name (e.g. [email protected]) to connect to SharePoint Online in CodeTwo Backup.
- Use another global admin account (global admin or SharePoint admin) to configure a SharePoint connection in the program. Preferably, create a fresh account that does not include any problematic configuration or special characters in its UPN.
Failed to connect to SharePoint. Identity Client Runtime Library (IDCRL) did not get a response from the Login server.
You might get this error if the admin account used to configure a connection to SharePoint Online has MFA enabled and legacy authentication protocols are disabled in your Microsoft 365 tenant (these protocols are disabled by default when Security defaults are enabled in Entra ID / Azure AD). Follow the steps provided in this Knowledge Base article to fix this.
Troubleshooting application registration
Failed to register 'CodeTwo Backup' with tenant '<TenantID>'.
If you see this error, it means that the account provided in the Application registration step of the connection wizard doesn't have enough permissions to register CodeTwo Backup in your Entra ID (Azure AD). Close the SharePoint Server connection wizard, reopen it and use an account with the Global Administrator or Privileged Role Administrator role in the Office 365 tenant to which you want to connect.
Keep in mind that even if this step fails, the CodeTwo Backup SharePoint entry is created in your Entra ID. However, this application is missing the necessary permissions that only a user with either of an above-mentioned roles can grant. Delete this entry by following these steps or grant the necessary admin consent in Azure Active Directory admin center and then configure the SharePoint server connection by following the manual registration path.
Troubleshooting application authentication
ClientId is not a Guid.
The Client ID entered in the Application details step is not valid. A valid GUID has the following form: 12345678-1234-1234-1234-1234567890AB. Double-check the entered Client ID and try again.
The operation was canceled.
This is a timeout error message that you will receive if the provided Client ID is not identified with any application registered in your Entra ID. Provide the correct ID or check if the application under that ID still exists in the Entra ID.
Tenant '<Tenant ID'> not found.
Make sure you have entered a correct Tenant ID of your Office 365 tenant. The Tenant ID (or Directory ID) can be found in the Microsoft Entra admin center – simply navigate to Identity > Overview. The Tenant ID is visible under the name of your company.
The certificate used must have a key size of at least 2048 bits.
This error appears if you have registered CodeTwo Backup manually in your Entra ID and used a certificate that contains a key that is shorter than 2048 bits. Use a different certificate that uses the necessary key or generate a client secret instead.
The wrong application (public or confidential) is being used with this authentication flow.
You will get this error if you enter an incorrect Certificate thumbprint / Client secret (app password) in the Application details step, if that certificate / client secret no longer exists in your Entra ID, or if it has expired.
You can also try the following solutions:
- synchronize the time on the machine where CodeTwo Backup is installed with a time server,
- use the Client secret credential instead of Certificate thumbprint in the case you registered the CodeTwo Backup application in Entra ID manually.
Troubleshooting Graph API connectivity
Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
CodeTwo Backup doesn't have the necessary permissions to perform that operation. Make sure to follow these steps in order to grant all the required permissions in your Entra ID.
The wrong application (public or confidential) is being used with this authentication flow.
You will get this error if you enter an incorrect Certificate thumbprint / Client secret (app password) in the Application details step, if that certificate / client secret no longer exists in your Entra ID, or if it has expired.
AADSTS700016: Application with identifier '<Client ID>' was not found in the directory '<Tenant ID>'.
This error occurs if:
- CodeTwo Backup has been deleted from your Entra ID. If so, make sure to register it again (automatically or manually),
- you have provided incorrect Client ID and/or Tenant ID in the Application details step of the server connection wizard. Make sure that you have provided correct registration details and try again.
- the application has just been registered, but not all changes have been propagated in your Entra ID. Wait awhile and try configuring the connection again (in the server configuration wizard, click Back, then Next to return to the Configuration step and click Configure).
User '<admin_account>' could not be found on the server. Make sure to register CodeTwo Backup in Azure Active Directory of the same tenant as provided on the 'Server address' page of this connection wizard.
You will get this error if SharePoint server URL provided in the Server address step points to a different Office 365 tenant than the credentials used in the Application registration (automatic registration) or Application details (manual registration) step.
Problems with configuring a connection to on-premises SharePoint server
When configuring a connection to the on-premises SharePoint server, in the last step of the SharePoint Server connection wizard the program tries to enumerate site collections with PowerShell and connect to any SharePoint site collections and Admin service. If the program fails to perform any of these actions, it will display failure notifications, as shown in Fig. 2. below:
Fig. 2. Failure notifications shown when configuring a connection to the on-premises SharePoint server.
The examples below show the most common error messages:
Failed to connect to SharePoint using account '<admin_account>'. Make sure you have entered the account credentials and server URLs correctly.
In case you get this message, double-check the details entered in the Server address and Admin's credentials steps of the connection wizard and try again. Also, make sure that the admin account has all the necessary roles and permissions assigned. Finally, check your internet connection.
Failed to connect to Central Administration service. Make sure that you have entered its URL correctly.
Go back to the Server address step of the wizard and check if the URL address entered in the Central Administration URL field is correct. Keep in mind that it is filled automatically based on the entered SharePoint Server URL; however, you need to provide the port number manually.
Other known SharePoint connectivity problems
Below are some of the most common error that may appear when configuring various jobs in CodeTwo Backup.
The term 'Get-UnifiedGroup' is not recognized as the name of a cmdlet, function, script file, or operable program.
You may get this error while configuring a SharePoint backup job and trying to list team sites. Try to reconfigure your connection to SharePoint Online. Also, make sure that the admin account used to connect to your SharePoint server is assigned at least the SharePoint administrator role (learn more).
Important
Keep in mind that the propagation of admin rights in Office 365 usually takes some time. The attempt to list SharePoint sites immediately after assigning the appropriate role may fail (you’ll get the same error message). Try configuring a backup job later.
Cannot contact web site '<site URL>' or the web site does not support SharePoint Online credentials.
You may receive this error in the SharePoint restore job wizard while attempting to create a new site collection or map users, groups, or permission levels. This happens when the use of non-modern (legacy) authentication protocols is disabled in your SharePoint Online environment. When disabled, the -Credential parameter used by CodeTwo Backup to connect to SharePoint Online via PowerShell is blocked.
Additionally, connections to SharePoint Online from CodeTwo Backup may be blocked by the feature which permits guests / external users to log in with an account that has been included in the original invitation message only.
To fix the authentication-related connectivity problems, you need to enable the support for non-modern authentication protocols and disable the feature described in the paragraph above either by using:
Warning
It may take up to 24 hours for changes to take effect.
Resolving authentication-related connectivity problems using SharePoint Online Management Shell
- Open the SharePoint Online Management Shell command prompt.
- Connect to your SharePoint Online by using the following command:
Connect-SPOService -Url https://<organization>-admin.sharepoint.com
where <organization> is the organization (tenant) name set in Office 365. - Run the following cmdlets:
Set-SPOTenant -LegacyAuthProtocolsEnabled $True Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $False
For a more detailed description of the procedure, refer to this article.
Resolving authentication-related connectivity problems using the SharePoint Online admin center
- Log in to Office 365 and click Admin to open Microsoft 365 admin center (Office 365 admin center).
- In the left pane, expand Admin centers and click SharePoint (Fig. 3.). The SharePoint Online admin center main page should open.
Fig. 3. Opening the SharePoint admin center.
- To enable the support for non-modern authentication protocols, go to Policies > Access control in the navigation menu on the left and click Apps that don't use modern authentication. Next, choose Allow access and click Save to save your changes (Fig. 4.).
Fig. 4. Enabling non-modern authentication protocols.
- Finally, to disable the feature preventing guest users from logging in with an account not included in a sharing invitation message, go to Policies > Sharing in the navigation menu on the left. Next, on the page that opens, expand additional settings by clicking More external sharing settings. Once the settings are displayed, clear the check-box next to Guests must sign in using the same account to which sharing invitations are sent (Fig. 5.). Click Save at the bottom of the settings page to save your changes.
Fig. 5. Disabling the feature allowing guest users to log in with the account included in an invitation only.
Failed to list <SharePoint object> from the target server. Make sure that you properly defined the SharePoint connection and that the administrator's account used in the connection has sufficient access rights.
The <SharePoint object> may refer to site collections, team sites, or OneDrive for Business sites. This error usually appears when listing SharePoint objects in the backup or restore jobs. Try reconfiguring the connection to your SharePoint server.
Double-check also if the admin account used to establish the connection to your SharePoint server has all the necessary roles and permissions assigned.
Access denied. You do not have permission to perform this action or access this resource.
This error may occur while restoring SharePoint lists to SharePoint Online. To fix this problem, you need to allow custom script in your SharePoint Online tenant. Find out how to do so here.
Problem not solved?
If you can't find the solution to your problem, try searching our Knowledge Base.
If you still need help, contact our Customer Service. We know our products inside out.