Site is not accessible from few Front end servers post EntraCP Installation
Closed this issue · 10 comments
Hi Yvand,
We host a SharePoint subscription edition and having an issue accessing the site in 2 front end servers. It throws an error "sorry this site has not been shared with you". Earlier, we have AzureCP installed in the environment. Microsoft support reviewed the logs and suggested to install EntraCP to resolve the issue.
We have now installed the EntraCP[Yvand.EntraCP v26.0.20240627.35] in our environment, unfortunately we are facing the same issue. Below are the logs details when we try to access the site in the 2 Front end servers. If the user is added directly to the site or in the SharePoint group then we are able to access the site. Only when the user added in a domain group then user gets access denied.
Please note we have 2 other front end servers where the site is accessible without any issues even the user exists in domain group.
[EntraCP] Unexpected error while getting groups for user 'user id here' from tenant 'Tenant name': InvalidOperationException: Content type text/html does not have a factory registered to be parsed.
[EntraCP] Got no group in 822 ms for user 'userid'
0x00000000 will be removed because of per user DenySecurityPolicy.
0x00000000 will be removed because the rights have been denied at the site collection level.x
Context has no SMTP/UPN claims. IdentityContext: '{"nameid":"userid","nii":"trusted:Trustname","upn":"userid","userId":"userid","appliesTo":"https://webapplicationhostname/"}
0x00000000 will be removed because the rights have been denied at the site collection level
OriginalPermissionMask check failed for {F1704DF0-45BA-4AD7-9DA8-39F533645A3D}. Asking for 0x00020000, have 0x00000000
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace: at Microsoft.SharePoint.SPWeb.InitWeb() at Microsoft.SharePoint.SPWeb.get_EnableMinimalDownload() at Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString) at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context, Exception exception, Boolean allowCompleteRequest) at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PreSendRequestHeaders(Object oSender, EventArgs ea) at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.EndRequestHandler(Object oSender, EventArgs ea) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error) at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb) at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Please suggest for any inputs on how to overcome this issue. Please let me know if you need any further information.
Hi @RamParamesh, @SzymonCebula, can you please send me a screenshot of the EntraCP claims mapping page, which you can find in the central administration > Security?
Hi Yvand,
Thank you for the response. I am attaching the Global Configuration page.
Ah no not this one, the other EntraCP page please
Hi Yvan,
Gotit. Thanks for letting me know. Below is the screenshot.
@RamParamesh I do not see anything wrong in the config.
Actually, the error itself puzzles me: Content type text/html does not have a factory registered to be parsed.
If I had to guess, I would say that requests go through a proxy, and somehow it returns a HTML error/message to EntraCP, which of course it cannot understand.
Is it something you considered?
Hi Yvand,
We have 2 other servers working fine. Can you suggest if we need to compare something with respect to Proxy/Firewall/Windows configurations from working and non working servers, We did this check with the respective teams and all suggested there are no changes from their end. We have no clue what can be verified from the server end. It would be great if you can provide some inputs on where it is blocking.
I wish to help but I have very limited information for that.
I can at least explains my reasoning:
- EntraCP explicitly asks Graph to respond with
application/json. Noway that Graph would actually reply withtext/html(because it is a response for browsers and makes no sense for an app), so that is why I very strongly suspect the request was intercepted, and a proxy is the obvious candidate. - The augmentation happens in a dedicated w3wp.exe process (the STS) that is not the same as the one for the people picker. This process always runs with the farm account (not the app pool account). Did you consider this?
Hi Yvand,
We identified the issue is with Proxy only and we are working with concern team.
Thank you for your prompt support on this. It was very helpful.
Thank you for taking the time to respond and confirm the origin of the issue!