SP 2013 :: Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied


When users try to search they get following error in the Search Center Site:

Sorry, something went wrong.

Search has encountered a problem that prevents results from being returned. If the issue persists, please contact your administrator.

 

image

In the ULS logs, you would notice errors similar to following:

SearchServiceApplicationProxy::GetQueryParameterSpecification–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Cause

The issue happens if the default Local Farm Account does not have permission to the Search Service Application.

Steps to identify and rectify the issue

# Review the ULS logs from the Query Server for the correlation Id. You would see messages similar to following:

07-26-2015 01:44:55.41        w3wp.exe (0x4F00)        0x341C        SharePoint Server Search        Query        dka5        High        SearchServiceApplicationProxy::GetUserPreferenceSerializeHelperForTenant–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.Office.Server.Search.Administration.ISearchSiteAdministrationServiceApplication.GetUserPreferenceSerializeHelperForTenant(Guid tenantId, Byte[] userID)     at Microsoft.Office.Server.Search.Administration.SearchServiceApplicationProxy.<>c__DisplayClass27f.<GetUserPreferenceSerializeHelperForTenant>b__27e(ISearchServiceApplication serviceApplication)     at Microsoft.Office.Server.Search.Administration.SearchServiceApplicationProxy.DoSpLoadBalancedUriWsOp[T](WebServiceBackedOperation`1 webServiceCall, Int32 timeoutInMilliseconds, Int32 wcfTimeoutInMilliseconds, String operationName)

07-26-2015 01:46:05.03        w3wp.exe (0x4F00)        0x5190        SharePoint Server Search        Query        dka5        High        SearchServiceApplicationProxy::GetQueryParameterSpecification–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.Office.Server.Search.Query.Rules.IQueryRuleOperations.GetQueryParameterSpecification(SearchObjectFilter filter)     at Microsoft.Office.Server.Search.Administration.SearchServiceApplicationProxy.DoSpLoadBalancedUriWsOp[T](WebServiceBackedOperation`1 webServiceCall, Int32 timeoutInMilliseconds, Int32 wcfTimeoutInMilliseconds, String operationName

07-26-2015 01:46:13.75        w3wp.exe (0x1130)        0x09AC        SharePoint Server Search        Query        dka5        High        SearchServiceApplicationProxy::GetSearchServiceApplicationInfo–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.Office.Server.Search.Query.ISearchQueryServiceApplication.GetSearchServiceApplicationInfo()     at Microsoft.Office.Server.Search.Administration.SearchServiceApplicationProxy.DoSpLoadBalancedUriWsOp[T](WebServiceBackedOperation`1 webServiceCall, Int32 timeoutInMilliseconds, Int32 wcfTimeoutInMilliseconds, String operationName)

# Navigate to the permission of the search service application from the central admin site and check if you have the Local Farm account added to it. If not, we need to add it.

 

image

# Steps to give permission to the Local Farm account, run following from the SharePoint Management Shell and then again navigate to the permissions to ensure the Local Farm Account has permission.

$farmid = Get-SPFarm | Select Id

$ssa = Get-SPEnterpriseSearchServiceApplication -Identity “Search Service Application”

$security = $ssa | Get-SPServiceApplicationSecurity

$claimprovider = (Get-SPClaimProvider System).ClaimProvider

$principal = New-SPClaimsPrincipal -ClaimType "http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid" -ClaimProvider $claimprovider -ClaimValue $farmid

Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"

$ssa | Set-SPServiceApplicationSecurity -ObjectSecurity $security

 

image

 

Post By :Paresh Gandhi [MSFT]


Comments (3)

  1. Ionut says:

    It’s not working. After running the commands I’m unable to open permissions from CA.
    I run the following to restore:

    revoke-spobjectsecurity $security -all

    set-spserviceapplicationsecurity -identity $security

    But the Local Farm is still not showing on Permissions page.

  2. Ionut says:

    This is the error: Exception of type ‘System.ArgumentException’ was thrown.
    Parameter name: claim

    1. Ionut says:

      and the solution is:
      run this : $farmID = Get-SPFarm | select id
      then $farmid
      copy the ID
      paste it in permissions… and do check name
      add with Full Control
      and you will have Local Farm added

Skip to main content