Access Denied while setting Metadata Store Permission

Question

Breaking my head with this issue for the past 2 days!

Received Access Denied error in SPD so tried to set Meta Data permission and get the following error.

1. I am one of the Admins for BSC service Applications
2. I belong to Farm Admin Group
3. I have required permission in SQL
4. Tried opening CA in Admin Mode (IE -> Run as Administrator)

5. ULS Logs shows the following

   Access Denied for User '0#.w|domain\skumar', which may be an impersonation by 'DOMAIN\skumar'. Securable IMetadataCatalog with Name 'ApplicationRegistry' has ACL that contains:

Any more ideas? please let me know if you need more information.

Edit:

Here is the stack trace

'BCS' BdcServiceApplication logging server side AccessDeniedException before marshalling and rethrowing on client side: Access Denied for User '0#.w|domain\skumar', which may be an impersonation by 'domain\skumar'. Securable IMetadataCatalog with Name 'ApplicationRegistry' denied access. Stack Trace: at Microsoft.SharePoint.BusinessData.SharedService.IndividuallySecurableMetadataObjectAccessor.SetAccessControlEntries(MetadataObjectStruct metadataObjectStruct, AccessControlEntryStruct[] aces, String settingId, DbSessionWrapper dbSessionWrapper) at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.<>c__DisplayClass2c.b__2b() at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.Execute[T](String operationName, UInt32 maxRunningTime, ExecuteDelegate`1 operation)

Answer 1

Our solution was to go to SP Central Admin > System Settings > Services on Server and start the "Claims to Windows Token Service". We also found this error in the logs which helped lead us to this as the solution:

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='PRMM-SP\polyadmin', UPN='PolyAdmin@PRMM-SP.local'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2 that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.IO.PipeException: The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.

For us I feel that this situation may only occur because the user we are trying to add in the metadata permissions has both an AD and ADFS (claims) entry. I have seen where EnsureUser or some other API call fails when you have identical IDs across two user stores.

Answer 2

It sounds as though need to go into your Business Data Connectivity Service Application, and set the permissions on the object. First, go to Central Administration->Application Management->Manage service applications. Find your Business Data Connectivity service application and go to the Manage page. Select the external content type and go to Set Permissions on the ECB menu, or the Set Object Permissions on the ribbon. From the Set Object Permissions pop-up dialog page you can add accounts and set their permissions. You will need to give the user who is logging in to SharePoint at least Execute permission to be able to see the list items (not to be confused with the account that will access the database).

I have blogged a few error messages like this one that keep catching me out.