Problem with unified sec groups using azurecp
Closed this issue · 10 comments
We use ver: AzureCP 19.0.20210211.1285 for SP 2019
recently, we have encountered an issue with the unified groups. Users who are members of these groups encounter permission denied message when going to site. Workaround is to add the directly to SP site group. I seen a similar post when users were using ver 15 but haven’t been able to track this down. This sporadic behavior as well nothing consistent. Do you have suggestions/thoughts?
You need to verify a couple of things:
- Is Azure AD adding the group membership in the SAML token? If yes, what is the claim type / claim value?
- Is AzureCP configured to do augmentation?
- Does it impact only unified groups?
@schrockmatthew I think not all your message was posted correctly, especially the picture I think you intended to attach
You can simply navigate to the issue and see by yourself that it is not
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Sorry to be so late but this is the exact error we're receiving:
[AzureCP] Unexpected error(s) occurred in AugmentEntity: [EXCEPTION 1]: System.FormatException: Cannot add value because header 'Authorization' does not support multiple values.. Callstack:
at System.Net.Http.Headers.HttpHeaders.ParseAndAddValue(String name, HeaderStoreItemInfo info, String value)
at System.Net.Http.Headers.HttpHeaders.Add(String name, String value)
at azurecp.AADAppOnlyAuthenticationProvider.d__13.MoveNext() --- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.AuthenticationHandler.d__15.MoveNext() --- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.AuthenticationHandler.d__16.MoveNext() --- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Graph.HttpProvider.d__19.MoveNext()
The lookup gets the following:
[AzureCP] Unexpected error occurred while getting access token for tenant 'btlaw.microsoftonline.com' on cloud instance 'AzurePublic': System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel., Callstack:
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
It looks like a TLS 1.2 is not enabled / not enabled correctly on the SharePoint servers.
Can you follow this article to configure it?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.