Azure CP: Permissions are not effective while granted via Azure AD groups. Does work only in one WFE

Question

Azure CP: Permissions are not effective while granted via Azure AD groups. Does work only in one WFE

Closed this issue 3 months ago · 8 comments

We are using AzureCP in SharePoint Subscription Edition farm. Since Monday we are facing critical incident in our production farm. Only 1 out of 4 our WFE is able to properly allow users accessing sites while permissions are granted via Azure AD. For the traffic processed by other 3 servers users are getting "Site has not been share with you" error message. We've already verified OS settings, policies etc.

Is there any option that you can support us please?

Thank you in advance

BR
Szymon

Answer 1 · 2024-06-20T14:50:26.000Z

(working on this issue through separate channels)

@SzymonCebula, based on the logs, augmentation (at sign-in time) fails because of #240
Here is the callstack I found in your logs:

[AzureCP] Unexpected error occurred in AugmentEntity: System.ArgumentNullException: Value cannot be null., Callstack:   
 at Microsoft.SharePoint.Utilities.SPUtility.GetProviderName(String fullName)    
 at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.IsEncodedClaim(String value)    
 at azurecp.OperationContext..ctor(IAzureCPConfiguration currentConfiguration, OperationType currentRequestType, List`1 processedClaimTypeConfigList, String input, SPClaim incomingEntity, Uri context, String[] entityTypes, String hierarchyNodeID, Int32 maxCount)    
 at azurecp.AzureCP.AugmentEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List`1 claims)

I fixed it in #267, and it will be available in the next version, but I am not ready to publish it in the next few days, I will need a bit more time.
I will update this issue as I have more visibility on this

Answer 2 · 2024-06-21T10:32:06.000Z

We appreciate you support. Could you please elaborate little bit "Fix an ArgumentNullException in a very rare scenario where ClaimsPrincipal.Identity is null" appearing in #267.

Could you please advice what is the scenario when this "very rare scenario" occurs.

Answer 3 · 2024-06-21T12:40:57.000Z

Sure, this is the scenario described in #240
I suspect your scenario might be different, but with exactly the sane root cause

Answer 4 · 2024-06-21T14:56:23.000Z

@Yvand I would like to clarify one detail. On non-working (3 out of 4 WFEs) servers only permission granted via Azure AD groups are not working. Permissions granted for users accounts are working properly in all 4 WFEs. I'm not sure whether that was clear based on my previous input thus I' would like to clarify that.

Answer 5 · 2024-06-24T15:30:28.000Z

@SzymonCebula ack, it is consistent with the ArgumentNullException I referenced above, because in your scemario (based on the log message I copied earlier), this exception happens during augmentation.

Answer 6 · 2024-06-27T08:18:48.000Z

@SzymonCebula FYI I just published v26.0, which should fix your issue.
Please make sure to do the update as documented in https://entracp.yvand.net/docs/usage/update/

Answer 7 · 2024-07-28T02:22:02.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 8 · 2024-08-03T02:11:15.000Z

This issue was closed because it has been stalled for 5 days with no activity.