CSS SQL Server Engineers

This is the official team Web Log for Microsoft Customer Service and Support (CSS) SQL Support. Posts are provided by the CSS SQL Escalation Services

SharePoint Adventures : Access Denied errors when using RS 2012 with a Claims SharePoint Site

SharePoint Adventures : Access Denied errors when using RS 2012 with a Claims SharePoint Site

Rate This
  • Comments 4

I actually ran into this issue back in late April.  I wanted to get this out sooner but life happened.  This issue has started to crop up a lot more as more people are starting to use Reporting Services 2012 in SharePoint Integrated mode.  Here is the run down.  This issue is specific to a Claims Auth SharePoint site.  I encountered it with both Reporting Services and PowerPivot, but I’m going to focus on Reporting Services as there are other issues with PowerPivot in a Claims site and isn’t going to work regardless.

You can see this Access Denied error in different area and essentially occurs when you try to work with anything in a document library.  For example, you can create a Reporting Services Data Source and it will perform the Test Connection operation successfully.  But, once you try to open it up after saving it, you will see:

 

image

 

Throwing Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: , Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'BATTLESTAR\asaxton' are insufficient for performing this operation.; 

From Report Builder, if we try to reference that Data Source, we see the following:

image

If we try to deploy a report from a SQL Server Data Tools project, we see the following:

image

There is effectively the same in all circumstances and occurs when we try to go call the SharePoint API to get an item from the document library.  This is actually a SharePoint permission issue of sorts.

If you enable Verbose Logging for the SharePoint Foundation – General Category, you will see the following:

PermissionMask check failed. asking for 0x00010000, have 0x00000000

We can see that the PermissionMask is empty, but it is requiring OpenWeb (0x00010000) – SPRights Enumeration. So, this explains the Access Denied as it looks like I’m coming in as Anonymous.  The other puzzling piece here is the fact that it labeled ‘BATTLESTAR\asaxton’ in the error messages instead of the claims user which looks different.

I looked at the UserInfo table of the content database and saw the following:

image

Some how I’m in there twice with both my claims user and my Windows user.  And, it looks like it is picking up the Windows User when I’m getting the access denied instead of the claims user.  Listing the users within SharePoint using http://admadama:81/_layouts/people.aspx?MembershipGroupId=0 also shows both users.

image

You can click on the users until you see the user with the Windows User  instead of the claims user.

image

At this point we can delete this user and leave the claims user.  The Windows User will still show in the UserInfo table, but it sill show a value of 3 for tp_Deleted

image

After that, everything should start working as expected.

image

Of note, this issue is being addressed in SP1 as indicated in Tristan’s response here.

 

***** UPDATE – 7/13 *****

Of note, this only seems to really affect the Farm Admin account.  The BATTLESTAR\asaxton account is what I used when I setup SharePoint and Reporting Services.  When hitting this error, if I add another user, for example to the Members group, it only shows up once.

image

And, the items worked fine where as for asaxton they do not.  This should limit the impact to the organization.  If you think you are hitting this issue, you can use the people.aspx URL to check (http://admadama:81/_layouts/people.aspx?MembershipGroupId=0) or look at the UserInfo table to see if you see a claims entry and a Windows logon entry for the same user within the Content database for that Claims site.

 

Adam W. Saxton | Microsoft Escalation Services
http://twitter.com/awsaxton

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • Thanks we've face this problem recently

  • Hi Adam,

    I don't think this problem is specific to Claims authenticated Sharepoint sites. I have a Classic Mode web application and I still get this error. I posted this issue here :

    social.msdn.microsoft.com/.../4cda3574-d800-4c83-8b23-8666af53601c

    Regards,

    Paul Lynch

  • Thanks mate. You have helped my very wel...

  • I'm getting similar errors  without reporting services running in SharePoint.  Some users have lost their logins.

    "PermissionMask check failed. asking for 0x00000005, have 0xB008431061"

    UserInfo row for the user has tp_deleted = 0, not 3.  

Page 1 of 1 (4 items)