Fixing Apps After Configuring Cloud Hybrid Search

Nico Martens

by Nico Martens on 8/12/2016

Share this:

Article Details

Date Revised:

Applies to:
Hybrid Search, PowerShell, provider-hosted add-ins, SharePoint Online, SPAuthenticationRealm, SPTrustedSecurityTokenIssuers

In my previous blog post, I described some considerations before configuring cloud hybrid search in your environment. You should probably review that post before reading this article. One limitation in particular can really mess up your farm:

All provider-hosted add-ins will break when running the onboarding script.

Long story short, it will break every server-to-server trust because the SPAuthenticationRealm is changed.

To fix this, I wrote a script that gives you two options:

  • Undo

    This option will reverse the change made by the onboarding script. It will change the SPAuthenticationRealm back to the old value. If you choose this option, cloud hybrid search will not work, but at least your apps are working again.

  • Fix

    This option will try to change your SPTrustedSecurityTokenIssuers so that it uses the new SPAuthenticationRealm set by the onboarding script.

Later in this post I have some important considerations. Make sure that you read them.

Running the script will result in something like this:

Fix-Onboarding.ps1 will change change the SPAuthenticationRealm back to old value and then change your SPTrustedSecurityTokenIssuers
Running the Fix-Onboarding.ps1 script

You can download the script here:


Important considerations

If you choose to fix your SPTrustedSecurityTokenIssuers, you will need to do some additional work to have everything work again.

Grant app permissions

App permissions rely on the SPAuthenticationRealm. This means that any App permissions that you set will be gone after updating your SPTrustedSecurityTokenIssuers.

You will have to register the apps again and assign the permissions to the app. The following script can do this for you (the current script is app-instance based; this means you have to run it for every app instance).

Also, make sure to change the variables in the script before running it.


Workflow Manager

Workflow Manager also relies on the SPAuthenticationRealm. Thanks to Ruben de Boer for proposing the solution.

  1. After running the Fix-Onboarding.ps1 script, make sure to remove the existing Workflow Service Application Proxy.
  2. Then run the Register-SPWorkflowService cmdlet again. Make sure to use the same scope that you used before. I recommend using the -Force parameter.

I hope this helps you! Do not hesitate to contact me if you have any trouble using the script or if you have any questions.

You can find Nico’s original post on his blog here:

Topic: Administration and Infrastructure

Sign in with

Or register