Tuesday, July 3, 2012

The Windows SharePoint Services adapter runtime does not have permissions to invoke the adapter Web service

I recently was working through a lab integrating BizTalk Server 2010 with SharePoint Server 2010. The idea  was to have an InfoPath form submitted to an http end point. Biztalk would receive the InfoPath form, transform it, and then upload the form to a SharePoint document library.

This would make use of a send port configured to use the SharePoint Services Biztalk Adapter.

However, when I submitted the InfoPath form, it successfully submitted to the HTTP endpoint, but it did not upload to the SharePoint library. Further digging produced the following error:


Error details: The Windows SharePoint Services adapter runtime does not have permissions to invoke the adapter Web service. In order to fix this issue, you have to add the ADVENTUREWORKS\BizTalkHost Windows account to the "SharePoint Enabled Hosts" Windows group on the Windows SharePoint Services machine. This operation will allow BizTalk host instances running under ADVENTUREWORKS\BizTalkHost Windows account to invoke the adapter Web service in order to send and receive messages to or from SharePoint sites. The group membership will not take effect until you restart the BizTalk host instance.


Basically, this error is caused by the fact that when you enable the SharePoint Services BizTalk adapter, it creates a local security group on the server called "SharePoint Enabled Hosts". The account that BizTalk is running under must be a member of this group. Since I was running my lab on a single VM that was also a domain controller, I wasn't able to access the local users and groups using the server management console.

Thanks to Craig Harvey at Reserved Words, I found a very simple and elegant solution. You can edit the web.config file in the virtual directory that the BizTalk web service is running in.

The default authorization tag looks like this:








Change it to look like this:








Once I made this change and restarted the Host Instance, I re submitted the InfoPath form, and got a slightly different error:

The adapter failed to transmit message going to send port "CreditOrdersSharePoint" with URL "wss://biztalkdemo:80/LoanApplications". It will be retransmitted after the retry interval specified for this Send Port. Details:"The Windows SharePoint Services adapter Web service encountered an access-denied error accessing site http://biztalkdemo/. The BizTalk host instance account requires Contributor-level permissions. 

This was a rather obvious reference to the fact that the BizTalk Service account needed permission to contribute documents to the form library. Once I granted AdventureWorks\BizTalkHost contribute permissions, everything started working as designed.