Duet Enterprise: Derived Key Token Cannot Derive Secret

In the process of connecting SAP and SharePoint, one of the steps is to ask the SAP Administrator to provide to provide a whole bunch of BDC models. These models will then be incorporated into the SharePoint BCS and then make the SAP tables available in the SharePoint site.
Sounds simple, except for the fact that, more often that not even if you follow the steps to the letter, one might come across the following error message:
security configuration error: derived key token cannot derive key from the secret
This is caused mainly by SAP configuration (or lack of it), but do not put the blame on them...getting Duet to work sometimes it is a daunting task.
How to track that down?
Listen to the network: well, one of the things you can do it to see what's going on is using the good old network sniffing tools. I suggest to you the Network Monitor, but feel free to use what ever you want. By listening to the traffic flowing from SharePoint to SAP you will have a clue it the connection is established.
duet-enterprise-sharepoint-sap - 2
If you hear nothing, this lead to the conclusion that BCS might not be connecting at all. Check the SAP endpoints, find out how the HTTPS port is configured. Do not assume SAP is using the default HTTPS port number. The best way to find this out: open the endpoint URL with your favourite browser.
If you can browse, the issue is likely security. Check the security configuration of the Duet accounts involved. Check the SSO accounts.
If you can not browse, check if there are any firewall blocks between the SharePoint farm and the SAP gateway servers.
  duet-enterprise-sharepoint-sap - 3
if there are no devices or security rules blocking the network connection then we must go to the mythic land of the SAML.
You see…for Duet Enterprise to work , the endpoint requires that the SAML issuer configured in the SAP side must be correct. If it is not, this will result in a token issued incorrectly, which will then reflect in the BDC schemas exported from SAP, and since the schemas are going to be generated with different keys, the BCS models and calls to endpoint won't work. The fix is in the middleware, the SCL.
duet-enterprise-sharepoint-sap - 4
This used (maybe still is...) a very tricky thing because the only way to fix this is dealing with XML manually (I know...sorry for you in advance). On a positive note, I understand that in Duet Enterprise FP1 there is an automated tool, but I haven’t be able to work with FP1 yet.
If you don't have access to this XML tool to “spot the not-right”, I suggest you to try these steps:
duet-enterprise-sharepoint-sap - 5
  1. If you see the KeyType element, try to change to PublicKey. (check the WSDL endpoint exposed by the SAP)
  2. Remove all BCS definitions from SharePoint
  3. In SAP, regenerate all BDC definitions.
  4. Reimport them all into SharePoint
Every Duet Enterprise project I've seen was a success so far, however nobody said it is always easy.



  1. Hi Edge,

    If you [can] have access to SAP environment; start with inspecting transaction logs 'SRT_UTIL' and 'IWFND/ERROR_LOG' on the Gateway system. In case of error messages logged there (probably then due SAML / trust errors), you quicly validated that BCS is succesfully in reaching SAP Gateway; and this rules out firewall + endpoint issues.

    Best regards, William.

  2. It was really a nice post and i was really impressed by reading this post.... SAP Certified ABAP Solution