Access denied by Business Data Connectivity on Setting Metadata Store Permissions

Question

When I try to configure Metadata Store Permissions I keep getting this error

I am the Farm Administrator and have full access on Sharepoint to start with. Now as I drilled down further looking at my logs here is what happened.

SPSecurityContext: 
Could not retrieve a valid windows identity for username 'DOMAIN\UserName' with UPN 'username@domain.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ArgumentException: Token cannot be zero.     
at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)     
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated)     
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken)     
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     
at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). b566569c-fb43-705a-1a09-c60c3572d56a
Unexpected  No windows identity for DOMAIN\UserName.    b566569c-fb43-705a-1a09-c60c3572d56a
Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' has ACL that contains:     b566569c-fb43-705a-1a09-c60c3572d56a
Unexpcted   'Business Data Connectivity Service' BdcServiceApplication logging server side AccessDeniedException before marshalling and rethrowing on client side: Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' denied access. 

Stack Trace:    
at Microsoft.SharePoint.BusinessData.SharedService.IndividuallySecurableMetadataObjectAccessor.SetAccessControlEntries(MetadataObjectStruct metadataObjectStruct, AccessControlEntryStruct[] aces, String settingId, DbSessionWrapper dbSessionWrapper)    
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.<>c__DisplayClass2c.<Microsoft.SharePoint.BusinessData.SharedService.IBdcServiceApplication.SetAccessControlEntries>b__2...    b566569c-fb43-705a-1a09-c60c3572d56a
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.Execute[T](String operationName, UInt32 maxRunningTime, ExecuteDelegate`1 operation)   b566569c-fb43-705a-1a09-c60c3572d56a
Micro Trace Tags: 0 nasq,0 e5mb,9 9f5y,82 bz7l,0 g220,6 g0k9,0 9f4c b566569c-fb43-705a-1a09-c60c3572d56a

What am I doing wrong? how do I fix this? We are not using Kerberos and how do I disable it for BDC? On old Sharepoint 2010 I never had this issue.

Answer 1

Ok I solved this issue after nearly a week of tinkering and Gooling, none of what I had done so far fixed it. So I gave up searching and reverted my efforts in creating another fresh instance of Sharepoint 2013, after installation I chose all defaults and check if it gives me the same error, to my surprise it didn't so I searched the differences and applied it with my live Sharepoint.

There are 2 main differences and here they are:

1. I migrated from classic-mode to claims-based authentication and followed this steps from TechNet http://technet.microsoft.com/en-us/library/gg251985.aspx
2. Then I reverted my claims to windows service to run as local account then restarted the service.

Now I can "Set Metadata Store Permissions"

Answer 2

Make sure 'DOMAIN\Userame' is member of WSS_WPG group. Also logout-login to propagate the membership through the domain.