Доступ запрещен бизнес-подключением данных о настройке разрешений в магазине метаданных

Question

Когда я пытаюсь настроить разрешения на хранилище метаданных, я продолжаю получать эту ошибку

Я администратор фермы и имею полный доступ к SharePoint, чтобы начать с. Теперь, когда я пробурил дальше, глядя на мои журналы вот что случилось.

SPSecurityContext: 
Could not retrieve a valid windows identity for username 'DOMAIN\UserName' with UPN 'username@domain.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ArgumentException: Token cannot be zero.     
at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)     
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated)     
at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken)     
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     
at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). b566569c-fb43-705a-1a09-c60c3572d56a
Unexpected  No windows identity for DOMAIN\UserName.    b566569c-fb43-705a-1a09-c60c3572d56a
Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' has ACL that contains:     b566569c-fb43-705a-1a09-c60c3572d56a
Unexpcted   'Business Data Connectivity Service' BdcServiceApplication logging server side AccessDeniedException before marshalling and rethrowing on client side: Access Denied for User '0#.w|DOMAIN\UserName', which may be an impersonation by 'DOMAIN\ServiceUser'. Securable IMetadataCatalog with Name 'ApplicationRegistry' denied access. 

Stack Trace:    
at Microsoft.SharePoint.BusinessData.SharedService.IndividuallySecurableMetadataObjectAccessor.SetAccessControlEntries(MetadataObjectStruct metadataObjectStruct, AccessControlEntryStruct[] aces, String settingId, DbSessionWrapper dbSessionWrapper)    
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.<>c__DisplayClass2c.<Microsoft.SharePoint.BusinessData.SharedService.IBdcServiceApplication.SetAccessControlEntries>b__2...    b566569c-fb43-705a-1a09-c60c3572d56a
at Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication.Execute[T](String operationName, UInt32 maxRunningTime, ExecuteDelegate`1 operation)   b566569c-fb43-705a-1a09-c60c3572d56a
Micro Trace Tags: 0 nasq,0 e5mb,9 9f5y,82 bz7l,0 g220,6 g0k9,0 9f4c b566569c-fb43-705a-1a09-c60c3572d56a

.

Что я делаю не так?Как я могу это исправить?Мы не используем Kerberos и как мне отключить его для BDC? на старых SharePoint 2010, у меня никогда не было этой проблемы.

Answer 1

Ok I solved this issue after nearly a week of tinkering and Gooling, none of what I had done so far fixed it. So I gave up searching and reverted my efforts in creating another fresh instance of Sharepoint 2013, after installation I chose all defaults and check if it gives me the same error, to my surprise it didn't so I searched the differences and applied it with my live Sharepoint.

There are 2 main differences and here they are:

1. I migrated from classic-mode to claims-based authentication and followed this steps from TechNet http://technet.microsoft.com/en-us/library/gg251985.aspx
2. Then I reverted my claims to windows service to run as local account then restarted the service.

Now I can "Set Metadata Store Permissions"

Answer 2

Make sure 'DOMAIN\Userame' is member of WSS_WPG group. Also logout-login to propagate the membership through the domain.