When you connect to a Web service by using an InfoPath 2010 form that contains sandboxed code, the data that is returned is incorrect, or you receive an error message


Symptoms


You have a Microsoft InfoPath 2010 form template that has a data connection to a Web service. When you connect to the Web service, you encounter one of the following issues:
  • The data that is returned by the Web service is incorrect.
  • You receive the following error message:
    An error occurred accessing a data source.

    An entry has been added to the Windows event log of the server.

    Log ID:5566
These issues occur when the following conditions are true:
  • The Web service uses the identity of the user who fills out the form.
  • The InfoPath 2010 form template contains sandboxed code and is published to a Microsoft SharePoint Server 2010 Web site.

    Note InfoPath form code runs by using SharePoint Foundation Sandboxed Code Service if the Administrator-approved form template (advanced) option is not enabled when the form is published.

Cause


An InfoPath 2010 form template that contains sandboxed code is implemented by using SharePoint Foundation Sandboxed Code Service, which uses the SPUCWorkerProcess process instead of the W3WP process. When the form calls the Web service, InfoPath Forms Services delegates the request to the SPUCWorkerProcess process. This process cannot use the identity of the user who is filling out the form. Instead, the process uses the identity of the account that runs SharePoint Foundation Sandboxed Code Service. The account is specified by the farm administrator. Therefore, the Web authenticates are based on the identity of the SPUCWorkerProcess process. However, if the account that is specified by the farm administrator does not have access to the Web service, the error message occurs.

Note InfoPath Forms Services tries to execute a request in the W3WP process when InfoPath Forms Services determines that no sandboxed code has to be run for a given request. However, if there are cascading actions that may cause sandboxed code to be executed, the request is delegated to SharePoint Foundation Sandboxed Code Service and to the SPUCWorkerProcess process.

Resolution


To resolve this problem, use one of the following methods.

Method 1

Redeploy the sandboxed form as an administrator-approved form. To do this, follow these steps:
  1. Open the InfoPath 2010 form in Design mode in InfoPath Designer 2010.
  2. On the File menu, click Publish.
  3. Click SharePoint Server.
  4. Follow the instructions in the Publishing Wizard to finish the publication. Make sure that you select the Administrator-approved form template (advanced) option.
  5. Open SharePoint 2010 Central Administrator on a SharePoint Server 2010 server that has InfoPath Forms Services enabled.
  6. Under Central Administration, click General Application Settings.
  7. Under InfoPath Forms Services, click Upload form template.
  8. Click Browse, locate the InfoPath 2010 form template, and then click Open.
  9. Click Upload, and then click OK.
  10. Click General Application Settings, under InfoPath Forms Services, click Manage form templates.
  11. Click the name of the template that you uploaded, and then click Activate to a Site Collection.
  12. Click the Site Collection drop-down list, and then click Change Site Collection.
  13. Select the URL of the site collection where you want to activate the form template, and then click OK two times.
  14. Open the site collection where you activated the form template.
  15. Create a new form library on the site.
  16. On the Library tab, click Library Settings.
  17. Under the General Settings section, click Advanced settings.
  18. Set Allow management of content types to Yes, and then click OK.
  19. In the Form Library Setting page, click Add from existing site content types.
  20. Click the form template that you activated, click Add, and then click OK.
  21. Click Form, click Delete this content type, and then click OK.
  22. Open the form library. On the Documents tab, click New Document, and then click the form template name.
Method 2

Use the Secure Store Service in SharePoint Server 2010 to store alternate credentials for the data connection.

Secure Store Service authentication works by storing a username and a password in an encrypted database. When InfoPath Forms Services requests Secure Store Service authentications on behalf of a user, Secure Store Service performs individual authentication or group authentication. For individual authentication, Secure Store Service verifies that the requested user has an entry in the Secure Store Service database. For group authentication, Secure Store Service verifies that the user is a member of a group entry. When the user is validated, Secure Store Service returns the appropriate credentials. Then, InfoPath Forms Services uses those credentials to impersonate the user. Therefore, the Web service sees that the user is specified in the Secure Store Service database even if the specified user is not the actual user.

Note The following steps assume that the data connection in the form template uses a UDCX file in a data connection library. For more information about how to create and to use a data connection library in Microsoft Office SharePoint Server 2007, visit the following Microsoft Developer Network (MSDN) Web site:To use Secure Store Service to store alternate credentials for the data connection, follow these steps:
  1. Create a new Secure Store Service target application, and then add the account information. To do this, follow these steps:
    1. Open SharePoint 2010 Central Administrator.
    2. Click Application Management, and then click Manage service applications.
    3. Click Secure Store Service.
    4. Click New. Follow the instructions on the Create New Secure Store Target Application page to configure the target application settings. Note the string that you enter into the Target Application ID box.

      Note Make sure that a new key is generated before you create a new Secure Store Service target application.
    5. Point to the name of target application that you just created, and then select Set Credentials from the drop-down list.
    6. Enter the account information for the Secure Store Service target application, and then click OK.
  2. Use the Secure Store Service target application in data connections. To do this, follow these steps:
    1. Download a copy of the UDCX file that is specified for the data connection.
    2. Use Notepad to open the UDCX file.
    3. Locate the <udc:Authentication> section, and then replace it with the following:
      <udc:Authentication>
      <udc:SSO AppId='TestSSOGroup' CredentialType='NTLM'/>
      </udc:Authentication>
    4. Change the value of the AppId attribute to the Target Application ID string that you noted previously.
    5. Save the file in Notepad.
    6. Upload the updated UDCX file to the SharePoint data connections library. Then, approve the file.
    7. Restart the SharePoint Server 2010 server.
  3. Open the InfoPath 2010 sandboxed form in a Web browser.
Method 3

States the credentials in the UDC file explicitly. To do this, replace the <udc:Authentication> section in the UDCX file by using the following code:
<udc:Authentication>
<udc:UseExplicit CredentialType="NTLM">
<udc:UserId></udc:UserId>
<udc:Password></udc:Password>
</udc:UseExplicit>
</udc:Authentication>
This method is less secure than method 2.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.