SharePoint: All about non-imported user profiles

I find there is much confusion around this topic, so I’ll try to clear it up here. First off, non-imported profiles are well… not imported. They were not created by Profile Sync / AD Import / Sync with External Identity Manager. We also refer to these as “unmanaged”, or “stub” profiles because they typically only…


SharePoint – SAML auth: Users are authenticated as the wrong account

This is a pretty unique scenario, but it came up recently and exposed a little-known configuration “gotcha” with SharePoint. Consider the following scenario: You have two Trusted Providers (SAML auth) and are using them both for the same web application. For example, you have an Internal zone using URL that uses Trusted Provider “ADFS-Internal”…


SharePoint: 403 Forbidden accessing libraries and certain links in Site Settings

  This was a special situation where most of the site appeared to work, but certain links under Site Settings would fail with 403 Forbidden. For example: Themes Master Pages Solutions Composed looks List Templates Most document libraries Actually, in some cases, the page request would result in Access Denied, and redirect the user to…


SharePoint: Check Permissions and External Tokens – ADFS (SAML auth)

This post is the third part of a series on the “Check Permissions” function. It’s focused on Trusted Provider authentication aka: SAML-claims. The way “Check Permissions” works varies by authentication method. For Windows or FBA auth, see my other posts: Windows-Claims Authentication:  Forms-based Authentication (FBA): Notes: I’ll be talking about Active Directory Federation Service (ADFS),…


SharePoint: Unique list permissions: The server was unable to save the form at this time

  Consider the following scenario:   You break permission inheritance on a list and give some users permission to only that list. The users can browse to the list, but when they try to add an item to the list or edit an existing item, the following error occurs:   The server was unable to…


SharePoint – Intermittent “Sorry, this site hasn’t been shared with you”

Consider the following scenario: Randomly, when a user browses to a resource (site, list, etc) that they are supposed to have access to, they receive “Sorry, this site hasn’t been shared with you” (access denied). The users continue to get Access Denied for a period of time, and then it starts working again after making…


SharePoint: Quick Edit – The user does not exist or is not unique

Consider the following scenario: You have a SharePoint 2013 or 2016 web application that has both Windows and Trusted Provider / SAML authentication (ADFS, etc) enabled. You have a list with a “Person or Group”-type (aka: “people picker”) column in it. You edit the list using the “Quick Edit” / “edit this list” functionality to…


SharePoint: SAML Authentication – Nested Groups and Role Claims

I came across this topic troubleshooting a support case where users were getting Access Denied to a site using Trusted Provider (SAML) authentication. The Issue: Users were given permission to the site using a group that had other groups nested in it. The users were not direct members of the group being used for permission….


SharePoint: Windows user not equal to ADFS user

I’ve been over this concept with customers and support engineers so many times, that I’m not sure why I haven’t posted about it before. My colleague Adam posted on this topic a while back, but I wanted to expand on that a bit. The Setup: Let’s say you have a SharePoint (2010, 2013, 2016, 2019,…


SharePoint 2016: FBA authentication changes

Disclaimer: The below is a summary of observations made as the result of some reverse-engineering and Source Code review. It’s not necessarily to be taken as “official,” but does check out according to my testing. This is post is not about configuring Forms-based Authentication (FBA). There’s plenty of other posts out there about that. The…