Thursday, September 10, 2015

How to resolve error “Microsoft.SharePoint.Client.IdcrlException: The sign-in name or password does not match one in the Microsoft account system” when using CSOM for O365/SharePoint online

One of the easiest way to communicate to O365 and SharePoint Online is through CSOM code as we described in previous blog. The code is extremely easy however some people run into the following common error.

Unhandled Exception: Microsoft.SharePoint.Client.IdcrlException: The sign-in name or password does not match one in the Microsoft account system.
   at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String securityXml, String serviceTarget, String servicePolicy)
   at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String username, String password, String serviceTarget, String servicePolicy)
   at Microsoft.SharePoint.Client.Idcrl.SharePointOnlineAuthenticationProvider.GetAuthenticationCookie(Uri url, String username, SecureString password, Boolean alwaysThrowOnFailure, EventHandler`1 exe
cutingWebRequest)
   at Microsoft.SharePoint.Client.SharePointOnlineCredentials.GetAuthenticationCookie(Uri url, Boolean refresh, Boolean alwaysThrowOnFailure)
   at Microsoft.SharePoint.Client.ClientRuntimeContext.SetupRequestCredential(ClientRuntimeContext context, HttpWebRequest request)
   at Microsoft.SharePoint.Client.SPWebRequestExecutor.GetRequestStream()
   at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
   at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
   at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
   at CSOM.Example.Program.Main(String[] args)


This error may be inconsistent and you might have this issue when you are not on the corporate network like people reported here. After debugging this issue, there are several common areas you could check to resolve this quickly.

1. Verify whether the user name and password directly from O365 UI. If this account has been disabled or changed, you could verify immediately.

2. Verify whether you have MFA enabled if using ADFS for this account. Normally we enabled MFA for security reason and apply rule to be trigger if the request is coming from non-trusted source like non company network. This might be the #1 reason why the same code is working when the machine is on the corporate network and exception when undock the machine. You could refer Microsoft instruction to disable the account is the code need to be run off the corporate network.

3. Verify you have latest SharePoint client dlls. SharePoint client libraries may change based on different releases. You might need to upgrade the client library and here is the latest version.

4. Loopback  enabled is common issue for WFC web service and you might need to disable it. Disabled the loopback check entirely by creating REG_DWORD DisableLoopbackCheck at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and setting value to Decimal 1.

This is the list of the most common configurations that might cause CSOM to communicate with O365/SharePoint online. The rest of the coding is straightforward.


7 comments:

  1. I think that this is because of the issue with the generic lists in powershell. Livetiles

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi Harry,
    Thanks for listing out all the causes behind this issue. However I have tried all 4 things you listed in above blog. But still I am getting same error "The sign-in name or password does not match one in the Microsoft account system." I am getting same error from CSOM Powershell script and C# Client side object model when trying to access SharePoint Online admin site by using 'SharePointOnlineCredentials' class. I have also downloaded SharePoint Client dll's version - 16.1.7521.1200. And I have been tried onmicrosoft account with MFA disabled and were able to login with same username, pwd by using browser. I also disabled loopobackcheck.

    ReplyDelete
  4. I had the same issue but had to ask the system administrator to create rule to allow legacy authentication and it works. Hope it helps someone.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Hi Jorge,

      can you share me the steps for the rule

      Delete
  5. This comment has been removed by the author.

    ReplyDelete