Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 3, 2015 3:19 PM
We are trying to manage permissions with AD groups but thus far permissions are not working. We have a site and are able to search for, find, and add AD groups. However, users in this group still get access denied. If users are added explicitly to the site or to a SharePoint group their permissions work correctly. The UPS has been synced many times without issues and this problem has been occurring for weeks. Is this a problem with SharePoint or AD? Any ideas how to resolve it?
Also, I don't know if this is relevant but the site is also configured for anonymous access. If a user accesses the site anonymously they are granted read access, if they try to access the site while logged in with their account they get access denied.
All replies (5)
Wednesday, February 4, 2015 8:24 PM âś…Answered
I am not sure if this could be the reason but I am just sharing my experience. We had issue for major users not being able to access the site even after we created a seperate SharePoint groups and then added those AD groups added the AD groups in it.
After some investigation we found that the users having multiple IDs in same domain had issue. In our case many users had test account so say Richard Perry had two accounts as domain\rperry and domain\rperry2 (test a/c).
When we disabled his test account in AD, he was able to login successfully with his prime account. It was because of confusion by AD when authenticating with token.
Tuesday, February 3, 2015 4:22 PM
If the group was added to SharePoint and then users were added to the group try waiting a day. The claims token in SharePoint lifetime is fairly long. So when new users are added to an existing AD group SharePoint will not recognize the new membership in the Claims token for 12 -24 hours. If you add a user today they should be able to log in tomorrow. Take a look at the following Blog post. I think this is your issue.
http://www.andrewjbillings.com/sharepoint-2013-claims-authentication-ad-group-changes-not-reflected/
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.
Tuesday, February 3, 2015 5:38 PM
Thanks Paul, but this issue has existed for several weeks. The AD groups and users have existed for months, and the AD group itself was added to SharePoint around Christmas. We have been troubleshooting this whole time with no success.
Something else worth noting, the farm has two web applications and this problem only exists on one of them. If I add an AD group to a site in the "good" web app and do a permission check for a user in that AD group it returns the appropriate permissions and the user can access that site. For the problematic web app the same AD group can be added to a site but users in that group never show up in check permissions and always get access denied when accessing the site.
What could cause this functionality to work in one web app and fail in another?
Tuesday, February 3, 2015 7:13 PM
That sounds like some kind of an issue with the whole permissioning system in that Web App rather than a problem with just AD Groups. I don't have a suggestion on what might be causing it.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem.
Wednesday, February 4, 2015 6:38 PM
We thought the same thing. Within central admin we made sure that the authentication providers and user policies were identical between the two web apps. Other than in IIS I'm not sure where one could even affect one web app to interact differently with AD than another one.