使用 OAuth 和 SAML 声明时出现“401 未授权”错误
症状
请考虑以下情况:
- 使用安全断言标记语言 (SAML) 声明类型,这些声明类型使用 Active Directory 联合身份验证服务 (AD FS) 作为场中的身份验证提供程序。
- 您正在使用 Role 或 GroupSID 声明向场中 Microsoft SharePoint 2013 网站上的用户授予权限。
- 服务器场版本早于版本 15.0.4805.1000, (2016 年 3 月累积更新) 。
在此方案中,通过 Role 或 GroupSID 声明类型分配了适当权限的用户在以下情况下使用 OAuth 身份验证方法时会收到“401 未授权”错误消息:
- 工作流管理器 (SharePoint 2013 工作流)
- Web 应用程序配套 (WAC - Office Web 应用)
- 高信任或低信任提供程序托管的应用
- 跨服务器场服务应用程序发布/使用
- 混合 SharePoint 2013/SharePoint Online 方案
- SharePoint 与 Exchange 和 Lync 2013/Skype for Business 集成
解决方案
若要解决此问题,请在场中的所有服务器上安装 Microsoft SharePoint Server 2016 年 3 月累积更新 。
作为修复的一部分,将新属性 GroupClaimType 添加到 SPTrustedIdentityTokenIssuer 对象。 若要使 OAuth 能够正常工作,必须将此属性设置为正确的声明类型,以便对通过 Role 或 GroupSID 声明类型分配权限的用户进行授权。
若要设置 GroupClaimType 属性,请运行以下Windows PowerShell命令:
#Create a variable containing the SPTrustedIdentityTokenIssuer object
$issuer = Get-SPTrustedIdentityTokenIssuer
#Set the GroupClaimType property to the Role claim type, do not run for GroupSID claim type
$issuer.GroupClaimType = [Microsoft.IdentityModel.Claims.ClaimTypes]::Role
#Set the GroupClaimType property to the GroupSID claim type, do not run for Role claim type
$issuer.GroupClaimType = [Microsoft.IdentityModel.Claims.ClaimTypes]::GroupSid
#Update the SPTrustedIdenityTokenIssuer object to apply the change
$issuer.Update()
更多信息
失败工作流的示例错误消息:
RequestorId: <Requestor ID>. Details: System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}} } {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["<SP Request GUID>"],"request-id":["<Request ID>"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4805"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Fri, 19 Aug 2016 20:35:30 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
统一日志记录系统中的示例日志条目 (ULS) 日志:
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation CSOM aii1c Verbose Checking
SPBasePermissions.Open permission
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation Authentication Authorization ajmmu
Medium Permission check failed. asking for 0x10000, have 0x2000000000 645f0edc-7ec9-44c5-84b7-
2adfba2f7f92
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation CSOM afxwb High
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at
Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex) at
Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask) at
Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest() at
Microsoft.SharePoint.Client.Rest.RestService.ProcessQuery(Stream inputStream, IList`1
pendingDisposableContainer)
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation CSOM agmjp High Original error:
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at
Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex) at
Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask) at
Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest() at
Microsoft.SharePoint.Client.Rest.RestService.ProcessQuery(Stream inputStream, IList`1
pendingDisposableContainer)
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Portal Server Microfeeds aizmo Medium
SocialRESTExceptionProcessingHandler.DoServerExceptionProcessing - SharePoint Server Exception
[System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at
Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex) at
Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask) at
Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest() at
Microsoft.SharePoint.Client.Rest.RestService.ProcessQuery(Stream inputStream, IList`1
pendingDisposableContainer)] 645f0edc-7ec9-44c5-84b7-2adfba2f7f92
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation Claims Authentication af32v Verbose
Claims Windows Sign-In: Sending 401 for request
'http://<;servername>;:30079/_vti_bin/client.svc/web/lists/getbyid(guid'<GUID>')' because the request is not from a browser.
15:54:30.25 w3wp.exe (0x9FCC) 0x5F78 SharePoint Foundation Authentication Authorization alkvd
Medium Throw UnauthorizedAccessException instead of SPUtilityInternal.Send401 for client.svc request.
状态
Microsoft 已确认,这是早于 2016 年 3 月累积更新 (v. 15.0.4805.1000) 的 SharePoint 场版本中的问题。
References
仍然需要帮助? 请转到 SharePoint 社区。
反馈
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:https://aka.ms/ContentUserFeedback。
提交和查看相关反馈