Viewers of OrgChart receive Access Denied

by brianroche » Fri Aug 05, 2016 2:55 pm

I'm implementing an OrgChart utilizing SharePoint User Profiles and can see everything AOK, however when I have a normal user try to view (new web part page w/ Plumsail OrgChart as the only part on the page) they get prompted for credentials and receive an access denied. In looking at the details of the ULS logs I see this:

Code: Select all
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:   
 at Microsoft.SharePoint.SPWeb.InitWeb()   
 at Microsoft.SharePoint.SPWeb.get_EnableMinimalDownload()   
 at Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString)   
 at Microsoft.SharePoint.Utilities.SPUtility.RedirectToAccessDeniedPage(HttpContext context)   
 at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)   
 at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)   
 at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime& pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID, Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour, Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl, String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl, String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags, DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion, Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId, String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime& pdtReminderDate, UInt64& pmaskDeny)   
 at Microsoft.SharePoint.SPWeb.InitWeb()   
 at Microsoft.SharePoint.SPWeb.get_RegionalSettings()   
 at Microsoft.Office.Server.SiteContext.GetCollation(UserProfileApplicationProxy userProfileApplicationProxy)   
 at Microsoft.Office.Server.UserProfiles.UserProfile.LoadOrganizationalUsers()   
 at Microsoft.Office.Server.UserProfiles.UserProfile.GetDirectReports()   
 at ›‹††‡—  ‹“—šŽ‡œ˜˜ˆ.‰›™’‡  Šš’’‹–‹‘†.›  •™’‘ˆ(UserProfile  )   
 at ›‹††‡—  ‹“—šŽ‡œ˜˜ˆ.‰›™’‡  Šš’’‹–‹‘†.‹‘  †›‹††(String  )   
 at Plumsail.OrgChart.Service.OrgChartService.GetUserProfileGroupItemDataById(String id, String idFieldInternalName, String parentIdFieldInternalName)   
 at SyncInvokeGetUserProfileGroupItemDataById(Object , Object[] , Object[] )   
 at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)   
 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)   
 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)   
 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)   
 at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)   
 at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)   
 at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)   
 at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)   
 at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)   
 at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)   
 at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)   
 at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)   
 at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)   
 at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)   
 at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.CompleteParseAndEnqueue(IAsyncResult result)   
 at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.HandleParseIncomingMessage(IAsyncResult result)   
 at System.Runtime.AsyncResult.SyncContinue(IAsyncResult result)   
 at System.ServiceModel.Channels.HttpPipeline.EmptyHttpPipeline.BeginProcessInboundRequest(ReplyChannelAcceptor replyChannelAcceptor, Action dequeuedCallback, AsyncCallback callback, Object state)   
 at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync()   
 at System.ServiceModel.Channels.HttpChannelListener`1.BeginHttpContextReceived(HttpRequestContext context, Action acceptorCallback, AsyncCallback callback, Object state)   
 at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)   
 at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()   
 at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()   
 at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state)   
 at System.ServiceModel.AspNetPartialTrustHelpers.PartialTrustInvoke(ContextCallback callback, Object state)   
 at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequestWithFlow(Object state)   
 at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)   
 at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)   
 at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)


Is there a specific permission level on the page as well as the User Profile Service / Proxy that must be given to everyone in order for this to function correctly?

Thanks!
User avatar
brianroche
 
Posts: 6
Joined: Fri Aug 05, 2016 2:45 pm

by brianroche » Wed Aug 10, 2016 3:18 pm

Any thoughts?
User avatar
brianroche
 
Posts: 6
Joined: Fri Aug 05, 2016 2:45 pm

by thylocene » Wed Aug 17, 2016 12:03 am

Hi, I would look at the SQL logs. In general if you get an Access denied there which ripples down to SharePoint it is much more explicit in its reporting information. The other place to look is the ULS logs (I am assuming that this is a Windows event log item)
thylocene
 
Posts: 19
Joined: Mon Jun 13, 2016 8:01 am

by brianroche » Thu Aug 18, 2016 6:31 pm

After lots of digging, I'm able to narrow it down to the "Use Remote Interfaces" permission. The interesting part is that if that permission is allowed to a user within the site collection it still prompts for credentials and errors an "Access Denied". If I go to the web application and create a web application scoped group that provides the "Use Remote Interfaces" rights (which also requires "Open" rights to be granted) it then allows the end user to load the org chart correctly.

Any ideas why the site-scoped rights for use remote interfaces aren't respected?

We use claims-based authentication on our on-premise environment vs. the legacy NTML authentication if that makes a difference.

Thanks,
Brian
User avatar
brianroche
 
Posts: 6
Joined: Fri Aug 05, 2016 2:45 pm

by Evgeniy Kovalev » Fri Aug 19, 2016 10:42 am

In recent versions, we changed the method of loading profiles. You could try to install the latest version of the application and check if the problem persists. Please inform us of the results.

Best regards
Evgeniy Kovalev
Plumsail Team
User avatar
Evgeniy Kovalev
 
Posts: 58
Joined: Wed Jul 20, 2016 2:13 pm

by brianroche » Mon Aug 22, 2016 2:31 pm

After some further digging, it looks like the OrgChart makes a web service call however it scopes that call to the web application root and not the site collection (or web) root. This chart in question was in a site collection, (i.e. /sites/humanresourcesandotherorganizationalthings/) so the users did not currently have permission to the root site collection on the web application (i.e. / ). Once that permission was granted everything worked.
User avatar
brianroche
 
Posts: 6
Joined: Fri Aug 05, 2016 2:45 pm

by Anton Khritonenkov » Wed Sep 14, 2016 12:52 pm

Hi Brian,

Thank you for sharing results of your research. We located the service calls you mentioned and will fix it in the next release of the Org Chart.

We really appreciate your help in improving our product!

Best regards
Anton Khritonenkov
Plumsail Team
User avatar
Anton Khritonenkov
 
Posts: 219
Joined: Wed Nov 12, 2014 1:33 pm

by Anton Khritonenkov » Fri Sep 30, 2016 10:47 am

This has been fixed in the last version of Org Chart.
User avatar
Anton Khritonenkov
 
Posts: 219
Joined: Wed Nov 12, 2014 1:33 pm


Return to Org Chart for SharePoint 2013

cron