SharePoint 2010 - Mysite - Add Colleague - ADFS Authentication Trusted Provider - Permissions

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/166810

Question

Bit of a strange issue here, which I just can't seem to solve. I'll start by explaining the environment:

Environment

  • SharePoint 2010 Enterprise, Build Number 14.0.7113.5000

  • Windows Server 2008 R2

  • IIS 7.5

Web Application Authentication Specifics

Web application has 3 zones for different Authentication Methods:

  • Default Zone - Custom Trusted Identity Provider (ADFS)

  • Intranet Zone - NTLM

  • Extranet Zone - FBA

Mysite Location

Managed Path : /mysite/

Issue

A strange situation has been found where users who Authenticate via the ADFS Custom Identity Provider (i.e. all users of the site) cannot access any links to do with adding a colleague (aka "QuickLinksDialogForm.aspx"). This includes the following links :

  • Add Colleagues (This link throws an "Unauthorised" message)

  • View Suggestions (This link throws an "Unauthorised" message)

  • Edit Colleagues (This link does nothing)

  • Remove Colleagues (This link does nothing)

If a user who gets authenticated via NTLM (i.e. the back end hosting team), these links work fine.

Side note : FBA Users cannot access /mysite/ at all. This is fine.

About the error message

Screenshot : The unauthorised error message.

Access Denied

This error message is actually an in-screen pop-up. It is displayed whenever "QuickLinksDialogForm.aspx" is called by an ADFS user.

This is unfortunate, as "QuickLinksDialogForm.aspx" is actually located within the SharePoint 14 hive in the LAYOUTS folder :

"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\QuickLinksDialogForm.aspx"

Screenshot : The Quicklinks .aspx files within the LAYOUTS folder in the 14 hive.

Quicklinks Files

If an NTLM user accesses this link, the correct content is displayed:

Screenshot : Correctly loading content.

Access Granted

I have tried to find the reason for this issue, and have so far been unable to figure it out. SharePoint is complaining about permissions, however the same issue occurs even when a user is given Full Control, Site Collection Administrator, and even Full Control Policy on the Web Application. It makes no difference.

I have looked at this issue from multiple angles, from permissions, to encoding, and to claims. My best guess is that there is some issue with claims, although I have not being able to capture any proof in ULS, F12 Dev Tools or Fiddler. The only thing I have not done is wiresharked the packets to see what is happening behind the scenes.

I do not have visibility over the ADFS side of things, however I have a contact over there who could possibly have access to answer any specific questions that may arise.

Has anyone seen this behaviour before?

Kind Regards

Was it helpful?

Solution

It turns out that some permissions on the User Profile Service Application were missing for the ADFS users.

Permissions for the User Profile Service Application

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top