Access denied by Business Data Connectivity on Setting Metadata Store Permissions
-
10-12-2019 - |
Question
When I try to configure Metadata Store Permissions I keep getting this error
I am the Farm Administrator and have full access on Sharepoint to start with. Now as I drilled down further looking at my logs here is what happened.
SPSecurityContext:
Could not retrieve a valid windows identity for username 'DOMAIN\UserName' with UPN 'username@domain.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ArgumentException: Token cannot be zero.
at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated)
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). b566569c-fb43-705a-1a09-c60c3572d56a
Unexpected No windows identity for DOMAIN\UserName. b566569c-fb43-705a-1a09-c60c3572d56a
Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' has ACL that contains: b566569c-fb43-705a-1a09-c60c3572d56a
Unexpcted 'Business Data Connectivity Service' BdcServiceApplication logging server side AccessDeniedException before marshalling and rethrowing on client side: Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' denied access.
Stack Trace:
at Microsoft.SharePoint.BusinessData.SharedService.IndividuallySecurableMetadataObjectAccessor.SetAccessControlEntries(MetadataObjectStruct metadataObjectStruct, AccessControlEntryStruct[] aces, String settingId, DbSessionWrapper dbSessionWrapper)
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.<>c__DisplayClass2c.<Microsoft.SharePoint.BusinessData.SharedService.IBdcServiceApplication.SetAccessControlEntries>b__2... b566569c-fb43-705a-1a09-c60c3572d56a
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.Execute[T](String operationName, UInt32 maxRunningTime, ExecuteDelegate`1 operation) b566569c-fb43-705a-1a09-c60c3572d56a
Micro Trace Tags: 0 nasq,0 e5mb,9 9f5y,82 bz7l,0 g220,6 g0k9,0 9f4c b566569c-fb43-705a-1a09-c60c3572d56a
What am I doing wrong? how do I fix this? We are not using Kerberos and how do I disable it for BDC? On old Sharepoint 2010 I never had this issue.
Solution
Ok I solved this issue after nearly a week of tinkering and Gooling, none of what I had done so far fixed it. So I gave up searching and reverted my efforts in creating another fresh instance of Sharepoint 2013, after installation I chose all defaults and check if it gives me the same error, to my surprise it didn't so I searched the differences and applied it with my live Sharepoint.
There are 2 main differences and here they are:
- I migrated from classic-mode to claims-based authentication and followed this steps from TechNet http://technet.microsoft.com/en-us/library/gg251985.aspx
- Then I reverted my claims to windows service to run as local account then restarted the service.
Now I can "Set Metadata Store Permissions"
OTHER TIPS
Make sure 'DOMAIN\Userame' is member of WSS_WPG group. Also logout-login to propagate the membership through the domain.