Resolving The "Unable To Follow The Document" Issue In SharePoint 2016

Issue

While trying to follow the document or site in SharePoint 2016, let's suppose you encountered the following error.

Something went wrong

Sorry, we couldn't follow the site.

Technical Details

Internal Error : Could not follow the item https://test.krossfarm.com

SharePoint

Environment

Krossfarm has multiple farm environments. A dedicated Services farm hosts the user profile and search service provisioned, while another farm which hosts the Team sites and Publishing Sites is called Team Farm. They build the trust between Services Farm and Team farm, and consume the services from the Services Farm. They publish the UPA from Services Farm and consume it in the Team site farm.

Troubleshooting

Krossfarm's administrator checked the follow things:

  • Check the app pool account to see if the Team's farm has permission on the UPA in Services farm with full control.
  • User Profile Service Proxy is associated with Team Web app and MySite Web app.
  • Managed Meta Data Services proxy associated with Team Web app and MySite Web app.
  • Checked if the root and sts certs are properly added.
  • Checked the permission on the SQL Server. app pool account to see if it has rights on Profile db, social db and Sync db.
  • Finally, admisn examined the ULS logs and found these entries.

    12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope: (S2SMonitor: FollowedContent.FollowItem(https://test.krossfarm.com/); ) Execution Time=740.861923694252; CPU Milliseconds=494; SQL Query Count=4; Parent=FollowedContent.Follow(https://test.krossfarm.com/) 1254bd9d-552e-00bd-1962-54ae563214b4

    12/06/2016 12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Portal Server Content Following afilq Unexpected FollowedContent.FollowItem:Exception:System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute() at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb) at Microsoft.Office.Server.UserProfiles.FollowedContentProxy.Execute(String methodName) at Microsoft.Office.Server.UserProfiles.FollowedContentProxy.FollowItem(FollowedItem item) at Microsoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal) 1254bd9d-552e-00bd-1962-54ae563214b4

    12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope: (FollowedContent.Follow(https://test.krossfarm.com/)) Execution Time=779.766706499348; CPU Milliseconds=523; SQL Query Count=7; Parent=Microsoft.Office.Server.UserProfiles.FollowedContent.Follow 1254bd9d-552e-00bd-1962-54ae563214b4


    12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 Document Management Server Reporting ay6ke High FollowedContent.Follow Failure: Follow: Unexpected FollowedContentExceptionCode. 1254bd9d-552e-00bd-1962-54ae563214b4
    12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Foundation CSOM ahjq1 High Exception occured in scope Microsoft.Office.Server.UserProfiles.FollowedContent.Follow. Exception=Microsoft.Office.Server.UserProfiles.FollowedContentException: InternalError : Could not follow the item https://test.krossfarm.com at Microsoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal) at Microsoft.Office.Server.UserProfiles.FollowedContent.Follow(Uri url, FollowedItemData data) at Microsoft.Office.Server.UserProfiles.FollowedContentServerStub.InvokeMethod(Object target, String methodName, XmlNodeListxmlargs, ProxyContextproxyContext, Boolean&isVoid) at Microsoft.SharePoint.Client.ServerStub.InvokeMethodWithMonitoredScope(Object target, String methodName, XmlNodeListargs, ProxyContextproxyContext, Boolean&isVoid) 1254bd9d-552e-00bd-1962-54ae563214b4 12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Foundation CSOM agmjp Medium Original error: Microsoft.Office.Server.UserProfiles.FollowedContentException: InternalError : Could not follow the item https://test.krossfarm.com at Microsoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal) at Microsoft.Office.Server.UserProfiles.FollowedContent.Follow(Uri url, FollowedItemData data) at Microsoft.Office.Server.UserProfiles.FollowedContentServerStub.InvokeMethod(Object target, String methodName, XmlNodeListxmlargs, ProxyContextproxyContext, Boolean&isVoid) at Microsoft.SharePoint.Client.ServerStub.InvokeMethodWithMonitoredScope(Object target, String methodName, XmlNodeListargs, ProxyContextproxyContext, Boolean&isVoid) 1254bd9d-552e-00bd-1962-54ae563214b4 12/06/2016 12:15:19.23 w3wp.exe (kfsp:0x4884) 0x7D68 SharePoint Portal Server Microfeedsaizmo Medium SocialRESTExceptionProcessingHandler.DoServerExceptionProcessing - SharePoint Server Exception [Microsoft.Office.Server.UserProfiles.FollowedContentException: InternalError : Could not follow the item https://test.krossfarm.com at Microsoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal) at Microsoft.Office.Server.UserProfiles.FollowedContent.Follow(Uri url, FollowedItemData data) at Microsoft.Office.Server.UserProfiles.FollowedContentServerStub.InvokeMethod(Object target, String methodName, XmlNodeListxmlargs, ProxyContextproxyContext, Boolean&isVoid) at Microsoft.SharePoint.Client.ServerStub.InvokeMethodWithMonitoredScope(Object target, String methodName, XmlNodeListargs, ProxyContextproxyContext, Boolean&isVoid)]1254bd9d-552e-00bd-1962-54ae563214b4

The above errors do not give too much information but force us to re-check the trust settings. I checked the below settings one by one.

  1. Exchange trust certificates between the farms.  - Completed Successfully
  2. On the Publishing farm, publish the Service application.  - Completed Successfully
  3. On the Consuming farm, set the permission to the appropriate Service applications.  - Completed Successfully.
  4. On the Consuming farm, connect to the Remote Service application.  - Completed Successfully
  5. Add the Shared Service application to a Web application proxy group on the Consuming farm.  - Completed Successfully.
  6. Configure Server-to-Server authentication between the Publishing and Consuming farms.

    Oh man! This is what I did not set properly. The realm settings on both farms are different which means Server to Server authentication is not configured correctly.

Resolution

In the cross-farm environment, if you want to enable the following documents, access the User profile data, or post in the feed on the behalf of users, then we have to build the Server to Server Authentication.

Configure Publishing farm first. Run the below commands on the Publishing farm.

# Set the friendly Realm name for the Publishing

Set-SPAuthenticationRealm -Realm PubTrust

# Now, configure the Name Id settings on publishing farm

  1. $sts = Get - SPSecurityTokenServiceConfig  
  2. $Realm = Get - SpAuthenticationRealm  
  3. $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"  
  4. Write - Host "Setting STS NameId to $nameId"  
  5. $sts.NameIdentifier = $nameId  
  6. $sts.Update()  
# Configure the Server to Server Authentication

New-SPTrustedSecurityTokenIssuer -MetadataEndpoint

"https://test.krossfarm.com/_layouts/15/metadata/json/1" -Name "Consumer-Trust"

Note

https://test.krossfarm.com is the URL of the Web application from Consumer farm.

Configure Consuming Farm

Now, run the below commands on the Consuming Farm.

# Set the friendly Realm name for the Consuming farm. Realm name should be same as in the Publishing farm.
 
Set-SPAuthenticationRealm -Realm PubTrust

# Now, configure the Name Id settings on Consuming farm.
  1. $sts = Get - SPSecurityTokenServiceConfig  
  2. $Realm = Get - SpAuthenticationRealm  
  3. $nameId = "00000003-0000-0ff1-ce00-000000000000@$Realm"  
  4. Write - Host "Setting STS NameId to $nameId"  
  5. $sts.NameIdentifier = $nameId  
  6. $sts.Update()  
# Configure the Server to Server Authentication at Consuming farm.

New-SPTrustedSecurityTokenIssuer -MetadataEndpoint

"https://mysite.krossfarm.com/layouts/15/metadata/json/1" -Name "Pub-Trust"

Notehttps://mysite.krossfarm.com is the URL of the Web application from Publishing farm.

Testing

Now, if you try to follow a document/ site from Consuming farm, you will see it.