This post is the third part of a series on the “Check Permissions” function. It’s focused on Trusted Provider authentication aka: SAML-claims. The way “Check Permissions” works varies by authentication method. For Windows or FBA auth, see my other posts: Windows-Claims Authentication: https://joshroark.com/sharepoint-troubleshooting-check-permissions-windows-auth/ Forms-based Authentication (FBA): https://joshroark.com/sharepoint-check-permissions-and-external-tokens-fba/ Notes: I’ll be talking about Active Directory Federation
What are the Super User and Super Reader accounts for? This is explained pretty well on Docs here: https://docs.microsoft.com/en-us/SharePoint/administration/configure-object-cache-user-accounts In general, they are used in the process of making SharePoint Publishing sites (any site using the publishing features) render quickly and efficiently. Please keep in mind that these accounts aren’t actually required to be
This is a good one, it appears to be both random and intermittent, and is extremely hard to track down. It’s known as the “SID mismatch” problem. Consider the following scenario: Intermittently, when a user browses to a resource (site, list, etc) that they are supposed to have access to, they receive “Access Denied“, or
There are a couple known issues with user profile pictures when your Mysite web application uses Trusted Provider (ADFS / SAML) authentication. Symptoms There are two different known symptoms with the same cause and solution: #1When running User Profile Synchronization, nothing is imported or exported. In the Forefront Identity Manager (FIM) client, we see
Update 11/24/19: This post is specific to Windows Authentication (NLTM or Kerberos) within SharePoint 2013. For SharePoint 2016, see this post: https://joshroark.com/sharepoint-2016-check-permissions-windows-auth/ For Forms-based authentication see this: https://joshroark.com/sharepoint-check-permissions-and-external-tokens-fba/ And for Trusted Provider (SAML) auth, see this: https://joshroark.com/sharepoint-check-permissions-and-external-tokens-adfs-saml-auth/ Why should you care? Having “Check Permissions” fail to give you an accurate representation of user permissions can be
Some potential symptoms: You try to add a user to a SharePoint group. The account is added without error, but it doesn’t show up in the group. You try to add a user to a “person or group” column in a list. The account is added successfully, but it doesn’t show up in the list.