SharePoint 2013 CSOM call from web part fails with 401 for all users


This issue has come up at least 3 times in the list of issues I deal with here in SharePoint Escalation Services Support team, so I thought I’ll write a post about this on how to resolve this problem.

Issue:

You’ve designed a simple Visual Web Part with the following code in button click event handler and deployed it to a SharePoint Server 2013 environment.

   1: protected void Button1_Click(object sender, EventArgs e)
   2: {
   3:   try
   4:     {
   5:       ClientContext clientContext = new ClientContext("http://team.contoso.com");
   6:       clientContext.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
   7:       Web oWeb = clientContext.Web;
   8:       ListCollection oListCollection = oWeb.Lists;
   9:       clientContext.Load(oListCollection);
  10:       clientContext.ExecuteQuery();
  11:       lstLists.Items.Clear();
  12:       foreach (List oList in oListCollection)
  13:       {
  14:         lstLists.Items.Add(oList.Title);
  15:       }
  16:     }
  17:     catch (Exception ex)
  18:     {
  19:       lblMessage.Text = ex.Message;
  20:     }
  21: }

When you drop an instance of this web part on a page and click the button.  You’ll get the following error.

The remote server returned an error: (401) Unauthorized.

Cause:

If you look at the verbose ULS entries, you’ll see the following:

 

02/06/2014 06:20:18.74    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    8xfr    Verbose    PermissionMask check failed. asking for 0x08000000, have 0x00000000    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.74    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    8xfr    Verbose    PermissionMask check failed. asking for 0x00010000, have 0x00000000    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.74    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    8e2s    Medium    Unknown SPRequest error occurred. More information: 0x80070005    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.75    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    aix9j    High    SPRequest.RenderFormDigest: UserPrincipalName=i:0).w|s-1-5-17, AppPrincipalName= ,bstrUrl=

http://team.contoso.com/_vti_bin/sites.asmx    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.75    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    ai1wu    Medium    System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:    at Microsoft.SharePoint.WebControls.FormDigest.RenderCore(SPWeb web)     at Microsoft.SharePoint.WebControls.FormDigest.get_DigestValue()     at Microsoft.SharePoint.SoapServer.SitesImpl.GetUpdatedFormDigestInformation(String url)     at Microsoft.SharePoint.SoapServer.Sites.GetUpdatedFormDigestInformation(String url)     at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)     at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)     at System.Web.Services.Protocols.LogicalMethodInfo.Invoke(Object target, Object[] values)     at System.Web.Services.Protocols.WebServiceHandler.Invoke()     at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()     at System.Web.Services.Protocols.SyncSessionlessHandler.ProcessRequest(HttpContext context)     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)     at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)     at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.77    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    ftd0    Medium    Access Denied. Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:   at Microsoft.SharePoint.Library.SPRequestInternalClass.RenderFormDigest(String bstrUrl, ISPDataCallback pFormCallback)     at Microsoft.SharePoint.Library.SPRequest.RenderFormDigest(String bstrUrl, ISPDataCallback pFormCallback).    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.77    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    Claims Authentication    af32v    Verbose    Claims Windows Sign-In: Sending 401 for request '

http://team.contoso.com/_vti_bin/sites.asmx' because the request is not from a browser.    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.77    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    avfx    Medium    SOAP exception: System.Threading.ThreadAbortException: Thread was being aborted.     at System.Threading.Thread.AbortInternal()     at System.Threading.Thread.Abort(Object stateInfo)     at System.Web.HttpResponse.AbortCurrentThread()     at Microsoft.SharePoint.Utilities.SPUtilityInternal.SendResponse(HttpContext context, Int32 code, String strBody, String strContentType)     at Microsoft.SharePoint.Utilities.SPUtility.IfNecessarySend401(HttpContext context, SPIisSettings iisSettings, Boolean isSOAP, Boolean isBrowserRequest)     at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)     at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)     at Microsoft.SharePoint.Library.SPRequest.RenderFormDigest(String bstrUrl, ISPDataCallback pFormCallback)     at Microsoft.SharePoint.WebControls.FormDigest.RenderCore(SPWeb web)     at Microsoft.SharePoint.WebControls.FormDigest.get_DigestValue()     at Microsoft.SharePoint.SoapServer.SitesImpl.GetUpdatedFormDigestInformation(String url)     at Microsoft.SharePoint.SoapServer.Sites.GetUpdatedFormDigestInformation(String url)    1195719c-0516-2045-a82e-8077f54daf22

 

If you scroll a bit above these entries, you can see that the actual user context is not the logged in user, but IUSR (who’s UserPrincipalName=i:0).w|s-1-5-17).

02/06/2014 06:20:18.49    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    Application Authentication    ajezx    Verbose    SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.49    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|nt authority\iusr, ClaimsCount=17    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.49    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    User=0#.w|nt authority\iusr    1195719c-0516-2045-a82e-8077f54daf22

02/06/2014 06:20:18.72    w3wp.exe (0x1EF0)    0x1AB8    SharePoint Foundation    General    fbv6    Medium    <?xml version="1.0" encoding="utf-8"?>  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">    <soap:Body>      <GetUpdatedFormDigestInformation xmlns="http://schemas.microsoft.com/sharepoint/soap/" />    </soap:Body>  </soap:Envelope>    1195719c-0516-2045-a82e-8077f54daf22

So, it seems like the request from CSOM is made as anonymous user rather than the logged in user.

Resolution:

Turns out this is an expected behavior and not really something to do with SharePoint Server 2013.  It’s documented here: http://support.microsoft.com/kb/979917.  Thankfully, ASP.NET make an application settings available to fix this issue in SharePoint Server 2013 as documented here: http://support.microsoft.com/kb/2686411.

So the fix is to ensure the following <appSettings/> key has the value false in it.

    <appSettings>
        <add key="aspnet:AllowAnonymousImpersonation" value="false" />
    </appSettings>

 

Look out for the below warning from the KB article.

image

There’s another way to fix this problem, which is to change <identity impersonate=”true” /> to <identity impersonate=”false” />.  But that will be unsupported from SharePoint perspective as per: http://support.microsoft.com/kb/2564833.

Hope this post was helpful!  This is Sridhar signing out until my next post!

Comments (3)
  1. Saurabh says:

    You are the man! Thanks 🙂

  2. Huzefa Mala says:

    Thanks a lot. I had wasted quite a few days looking for this setting. I wonder why CSOM runs with partial trust in SharePoint. Would you be able to shed some more light on this matter?

  3. Gajendra says:

    Thanks a lot Buddy.. save my time.. wasted 2 days on fixing on this 401 issue.. 😉

Comments are closed.

Skip to main content