SharePoint 2013 Access denied due to permission levels

Our customer has a public web application where external users located in a trusted domain can log on to. External users should not be able to browse user information and we created a custom Web Application permission level to deny these permissions to certain AD groups.

Access denied due to permission levels 1

Issue
The Web Application functioned correctly for a long time and all of a sudden external users were getting access denied errors for only 1 site. There are a few blogs on the net to fix access denied errors for example the whole Web Application or Site Collection like checking the cache accounts. This issue was different as externals could log on to almost all sites but not a subsite. This user got the same error even after granting it full control on the Web Application.

Errors in the ULS
There weren’t a lot of errors in the Event Viewer but the ULS log led us in the right direction. We received the following Access Denied stack traces:

Access Denied for <Site>/SitePages/Home.aspx. StackTrace:
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.Library.SPRequest.GetGroupsDataAsSafeArray(String bstrUrl, UInt32 dwGroupsScope, String bstrValue, UInt32 dwValue, UInt32& pdwColCount, UInt32& pdwRowCount, Object& pvarDataSet)
at Microsoft.SharePoint.SPGroupCollection.InitGroups(Boolean fCustomUsers, String[] strNames, Int32[] groupIds)
at Microsoft.SharePoint.SPBaseCollection.GetEnumerator()
at Microsoft.Office.Server.Audience.AudienceManager.GetUserAudienceIDs(String accountName, SPWeb web, Boolean loadAudiences, Boolean loadSharePointGroups, Boolean loadMemberships)
at Microsoft.Office.Server.WebControls.AudienceLoader.EnsureCurrentUserAudienceIDs(Boolean needAudienceName, Boolean loadAudiences, Boolean loadMemberships, Boolean loadSharePointGroups)

and

GetUserAudienceIDs::GetUserAudienceIDs() failed in SharePoint Group membership resolution (Exception Message : Thread was being aborted. StackTrace
at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.AbortCurrentThread()
at Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString)
at Microsoft.SharePoint.Utilities.SPUtility.RedirectToAccessDeniedPage(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.Library.SPRequest.GetGroupsDataAsSafeArray(String bstrUrl, UInt32 dwGroupsScope, String bstrValue, UInt32 dwValue, UInt32& pdwColCount, UInt32& pdwRowCount, Object& pvarDataSet)
at Microsoft.SharePoint.SPGroupCollection.InitGroups(Boolean fCustomUsers, String[] strNames, Int32[] groupIds)
at Microsoft.SharePoint.SPBaseCollection.GetEnumerator()
at Microsoft.Office.Server.Audience.AudienceManager.GetUserAudienceIDs(String accountName, SPWeb web, Boolean loadAudiences, Boolean loadSharePointGroups, Boolean loadMemberships) . No SharePoint Group IDs will be returned.

Solution
it looked like it had something to do with audiences which hadn’t been configured before. One possible solution is to grant external users the browse user information permission as this solves the issue but then external users are able to find other external users which isn’t a good solution.

We solved this issue by analyzing the possible locations where audiences can be used. We verified all Web Parts but external users also got access denied on document libraries with default Web Parts. We also verified the site navigation and found that a site owner has added a link and enabled audiences for this link. External users are not able to “open” the group that has been added to this link and they receive an access denied because of it.

Make sure that when you denying ‘Browse User Information’ permissions to certain users or groups that audiences are not added to the site navigation or Web Parts!

Leave a Reply

Your email address will not be published. Required fields are marked *