This project has moved. For the latest updates, please go here.

Access Denied Issue

Nov 20, 2014 at 1:39 AM
Edited Nov 20, 2014 at 1:43 AM
Hi all,

I would like to say a big thank you to the author who created this project.

I have a Azure Group says "Everybody" which contains all Azure User in it.
In my SharePoint 2013, i added this "(Role) Everybody" (which is the Azure EveryBody Group) into a SharePoint default member group (says "SP Members").

Then i grant this Sharepoint member group with Read permission to my portal.

I regularly received complaints that some user who are supposed to be in the "(Role) Everybody" is hitting Access Denied when accessing my SharePoint Portal. And i noticed that not all users but SOME are having this issue...

Not sure if there is anyone who's using this AzureCP, is also hitting the same problem?

(As a temporarily remedy, i granted "Everyone" - c:0(.s|true to avoid this issue)
Coordinator
Nov 20, 2014 at 12:09 PM
Hello,

many thanks for your feedback :)

Azure AD groups are added to the SAML token of the users by augmentation.
You can monitor ULS logs and filter on product AzureCP and category "Claims Augmentation" and check if there are any error:
When augmentation completes successfully, the following message is recorded:
11/20/2014 13:05:35.00 w3wp.exe (0x0EB4) 0x0ECC AzureCP Claims Augmentation 1337 Medium [AzureCP] user yvand@***.onmicrosoft.com augmented with Azure AD group "usergroup1" (claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/role). 43f4cd9c-e168-e055-882e-6f29c1404151

Hopefully it will help you to narrow down the issue.
cheers,
Yvan
Nov 21, 2014 at 1:27 AM
Edited Nov 21, 2014 at 1:34 AM
Hi Yvand,

I found below the error message in ULS log

Access token of Azure AD tenant xxxxxxxx expired. Renew it and try again: ExpiredTokenException: Your access token has expired. Please renew it before submitting the request., Callstack:    at Microsoft.Azure.ActiveDirectory.GraphClient.ConnectionWrapper.InvokeNetworkOperation[T](Func`1 action)     at Microsoft.Azure.ActiveDirectory.GraphClient.GraphConnection.ListCore(Type objectType, String linkToNextPage, FilterGenerator filter, Uri& listUri)  

Unexpected error in FillClaimsForEntity: One or more errors occurred.. Callstack:    at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)     at System.Threading.Tasks.Task.Wait()     at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally)     at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally)     at System.Threading.Tasks.Parallel...   
....ForEach[TSource](IEnumerable`1 source, Action`1 body)     at azurecp.AzureCP.QueryAzureADCollection(FilterGenerator userFilter, FilterGenerator groupFilter)     at azurecp.AzureCP.BuildFilterAndProcessResults(String input, List`1 azureObjectsToQuery, Boolean exactSearch, Uri context, String[] entityTypes, List`1& results)     at azurecp.AzureCP.<>c__DisplayClass38.<FillClaimsForEntity>b__34() ac21ce9c-9f92-209c-b06a-94a78cf8d633
Nov 27, 2014 at 7:43 AM
Hi,

Not sure if you guys have this issue? I believe it has got to do with graph connection timeout and the handling of times out, did not successfully re-obtain new access token for augmentation.
Coordinator
Nov 27, 2014 at 9:47 AM
Hello,

are the 2 errors exceptions always recorded together?
ExpiredTokenException error is expected and handled (token is renewed and lookup continues).
In your environment, ExpiredTokenException error is handled (1st error message confirms it), but then Task is cancelled ( http://msdn.microsoft.com/en-us/library/dd321315(v=vs.110).aspx ). Unfortunately I don't know why because we don't see the exact Exception type.

If you agree, I can provide you with a private build that will record the exception type in the FillClaimsForEntity method, this should help us better understand it.

cheers,
Yvan
Dec 1, 2014 at 3:23 AM
Hi Yvand,

Image

The log tells that the two error exceptions come together.

The funny bit is that, i can still do people picker query, and the log shows that the queried users and their metadata such as email and mobile phone. The exception only occur when i try to log out and log in again.

It would be great if i can have private build that trace the exception!
Coordinator
Dec 1, 2014 at 12:24 PM
Please contact me by email at yvan84@live.com.
Cheers,
Yvan
Dec 5, 2014 at 2:30 AM
Hi Yvand,

with the build you sent, below is the error when i re-login
[AzureCP] Unexpected error occurred while querying tenant xxxxxx: System.AggregateException: One or more errors occurred., Callstack:
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.ActiveDirectory.GraphClient.GraphConnection.List[T](String pageToken, FilterGenerator filter)
at azurecp.AzureCP.QueryAzureAD(FilterGenerator userFilter, FilterGenerator groupFilter, AzureTenant coco).


[AzureCP] Query on value "xxx my email address@xxxx" did not return any result.
Dec 10, 2014 at 1:29 AM
Edited Dec 10, 2014 at 1:31 AM
Hi Yvand,

With the v2.0 temp build, I'm still getting the same error as shown below
[AzureCP] Unexpected error in FillResolve(string): System.Threading.ThreadAbortException: Thread was being aborted.. Callstack:
at System.Threading.Tasks.Task.<>c__DisplayClass11.<ExecuteSelfReplicating>b__10(Object param0)
at System.Threading.Tasks.Task.Execute()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
at System.Threading.Tasks.Task.ExecuteEntry(Boolean bPreventDoubleExecution)
at System.Threading.Tasks.ThreadPoolTaskScheduler.TryExecuteTaskInline(Task task, Boolean taskWasPreviouslyQueued)
at System.Threading.Tasks.TaskScheduler.TryRunInline(Task task, Boolean taskWasPreviouslyQueued)
at System.Threading.Tasks.Task.InternalRunSynchronously(TaskScheduler scheduler, Boolean waitForCompletion)
at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action1 body, Action2 bodyWithState, Func4 bodyWithLocal, Func1 localInit, Action1 localFinally)
at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable
1 source, ParallelOptions parallelOptions, Action1 body, Action2 bodyWithState, Action3 bodyWithStateAndIndex, Func4 bodyWithStateAndLocal, Func5 bodyWithEverything, Func1 localInit, Action1 localFinally)
at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable
1 source, Action1 body)
at azurecp.AzureCP.QueryAzureADCollection(FilterGenerator userFilter, FilterGenerator groupFilter)
at azurecp.AzureCP.BuildFilterAndProcessResults(String input, List
1 azureObjectsToQuery, Boolean exactSearch, Uri context, String[] entityTypes, List`1& results)
at azurecp.AzureCP.<>c__DisplayClass4c.<FillResolve>b__48()
Let me know where is the additional log i may find?
This error come after [AzureCP] Access token of Azure AD tenant xxx expired.
Dec 19, 2014 at 1:32 AM
Edited Dec 20, 2014 at 5:01 AM
Hi Yvan,

i noticed that the error has got to do with the PageToken in the Azure Query bit.
All my user with name starting from "A" eg "angela.xxxxx" are working fine and the people picker returned their name
But user with name "B" onwards are not traceable and event the Group Augmentation is not working too.

Hope this shed some lights
Coordinator
Jan 13, 2015 at 4:38 PM
hello, I just publised a new version that is a lot better than previous one, you should give it a try and see if it helps.
cheers,
Yvan
Jan 30, 2015 at 7:07 AM
Hi Yvand,

Just to follow up on this.
The Group Augmentation is working fine now after deploying version 2.2.

Hence, we can close this Thread.

However, there is still issue [AzureCP] Unexpected error in FillResolve(string): System.Threading.ThreadAbortException:
causing some page/images not responding.
I believe the other thread has already reported this issue.
Hence, please close this thread for now.

Thanks for the effort!
Marked as answer by Yvand on 1/30/2015 at 3:13 AM
Coordinator
Jan 30, 2015 at 11:13 AM
hello, thanks for your feedback.
Can you confirm that you get the ThreadAbortException only when user connects for the 1st time to a site on which he doesn't have an explicit permission (e.g. through "Everyone")?
cheers,
Yvan