SharePoint: Check Permissions and External Tokens – ADFS (SAML auth)

This post is the third part of a series on the “Check Permissions” function. It’s focused on Trusted Provider authentication aka: SAML-claims. The way “Check Permissions” works varies by authentication method. For Windows or FBA auth, see my other posts: Windows-Claims Authentication:  Forms-based Authentication (FBA): Notes: I’ll be talking about Active Directory Federation Service (ADFS),…


SharePoint: Unique list permissions: The server was unable to save the form at this time

  Consider the following scenario:   You break permission inheritance on a list and give some users permission to only that list. The users can browse to the list, but when they try to add an item to the list or edit an existing item, the following error occurs:   The server was unable to…


SharePoint – Intermittent “Sorry, this site hasn’t been shared with you”

Consider the following scenario: Randomly, when a user browses to a resource (site, list, etc) that they are supposed to have access to, they receive “Sorry, this site hasn’t been shared with you” (access denied). The users continue to get Access Denied for a period of time, and then it starts working again after making…


SharePoint: Quick Edit – The user does not exist or is not unique

Consider the following scenario: You have a SharePoint 2013 or 2016 web application that has both Windows and Trusted Provider / SAML authentication (ADFS, etc) enabled. You have a list with a “Person or Group”-type (aka: “people picker”) column in it. You edit the list using the “Quick Edit” / “edit this list” functionality to…


SharePoint: SAML Authentication – Nested Groups and Role Claims

I came across this topic troubleshooting a support case where users were getting Access Denied to a site using Trusted Provider (SAML) authentication. The Issue: Users were given permission to the site using a group that had other groups nested in it. The users were not direct members of the group being used for permission….


SharePoint: Windows user not equal to ADFS user

I’ve been over this concept with customers and support engineers so many times, that I’m not sure why I haven’t posted about it before. My colleague Adam posted on this topic a while back, but I wanted to expand on that a bit. The Setup: Let’s say you have a SharePoint (2010, 2013, 2016, 2019,…


SharePoint 2016: FBA authentication changes

Disclaimer: The below is a summary of observations made as the result of some reverse-engineering and Source Code review. It’s not necessarily to be taken as “official,” but does check out according to my testing. This is post is not about configuring Forms-based Authentication (FBA). There’s plenty of other posts out there about that. The…


SharePoint: Troubleshooting the Security Token Service (STS)

STS Background: In SharePoint 2010, 2013, 2016, etc, the Security Token Service (STS) is a web service hosted under the “SharePoint Web Services” IIS site on HTTP port 32843 and HTTPS port 32844, in a virtual directory called SecurityTokenServiceApplication. In SharePoint 2010, it contains 2 web services:Securitytoken.svcWindowstokencache.svc   In SharePoint 2013 and 2016, it contains…


SharePoint: User Profile web service failures and the dreaded 8313 error

This post is about how a simple web service failure, caused by a networking or Active Directory issue can take your site down. I’ve come across this a few different ways. The behavior is almost always intermittent, making it hard to track down.   Possible Symptoms: Users intermittently receive a “Something Went Wrong” message when…


SharePoint: Profile Sync and the Domain Users group – the Primary Group problem

  This problem manifests itself in a few different ways: You create an Audience based on “Member Of” the “Domain Users” group. You notice there are only a couple (or maybe even zero) members shown, whereas you may have hundreds or thousands of users in that group.   You have a SharePoint Add-In (previously known…