none
Exception occured while connecting to WCF endpoint: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

    Question

  • This problem arose when I was attempting to troubleshoot what appeared to be authentication issues (402.1 and 402.2's within sharepoint) during PDF form submissions to a library with a 3rd party service application. Now nobody can access the web app from inside or outside the domain. Central Admin still works from inside the domain.

    The server provider looked into it and has no idea what the problem is. I have the 3rd party developer looking at whether the original issue could be caused by their service application.

    In the meantime, I was hoping someone here could help me solve the current access problem and avoid having the server rebuilt.

    User Profiles                     hyc6    High        Exception occured while connecting to WCF endpoint: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy...    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     hyc6    High        ....Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.Office.Server.UserProfiles.IProfilePropertyService.GetProfileProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.<>c__DisplayClass1.<GetProfileProperties>b__0(IProfilePropertyService channel)     at Microsoft.Office.Server.UserProfiles.MossClientBase`1.ExecuteOnChannel(String operationName, CodeBlock codeBlock)    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     g11n    High        UserProfileApplicationProxy.InitializePropertyCache: Microsoft.Office.Server.UserProfiles.UserProfileException: System.ServiceModel.Security.SecurityAccessDeniedException     at Microsoft.Office.Server.UserProfiles.MossClientBase`1.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.GetProfileProperties()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.RefreshProperties(Guid applicationID)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValueNow(K key)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValue(K key, Boolean asynchronous...    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     g11n    High        ...)     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.InitializePropertyCache()    15e7f33a-33b6-42ec-8079-5f888c6ca717

    General                           0000    Medium      Constructed a new async cache named Profile Property Cache    15e7f33a-33b6-42ec-8079-5f888c6ca717

    Topology                          e5mc    Medium      WcfSendRequest: RemoteAddress: 'http://997-003:32843/119cd447efd04a188cda4188fd6a5ee5/ProfilePropertyService.svc' Channel: 'Microsoft.Office.Server.UserProfiles.IProfilePropertyService' Action: 'http://Microsoft.Office.Server.UserProfiles/GetProfileProperties' MessageId: 'urn:uuid:5a13f58a-fa32-4eec-a3cc-0fb2b81506b4'    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     hyc6    High        Exception occured while connecting to WCF endpoint: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy...    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     hyc6    High        ....Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.Office.Server.UserProfiles.IProfilePropertyService.GetProfileProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.<>c__DisplayClass1.<GetProfileProperties>b__0(IProfilePropertyService channel)     at Microsoft.Office.Server.UserProfiles.MossClientBase`1.ExecuteOnChannel(String operationName, CodeBlock codeBlock)    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     g11n    High        UserProfileApplicationProxy.InitializePropertyCache: Microsoft.Office.Server.UserProfiles.UserProfileException: System.ServiceModel.Security.SecurityAccessDeniedException     at Microsoft.Office.Server.UserProfiles.MossClientBase`1.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.GetProfileProperties()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.RefreshProperties(Guid applicationID)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValueNow(K key)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValue(K key, Boolean asynchronous...    15e7f33a-33b6-42ec-8079-5f888c6ca717

    User Profiles                     g11n    High        ...)     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.InitializePropertyCache()    15e7f33a-33b6-42ec-8079-5f888c6ca717

    General                           0000    Medium      Constructed a new async cache named Profile Property Cache    15e7f33a-33b6-42ec-8079-5f888c6ca717

    Monday, July 16, 2012 3:56 PM

Answers

  • Hi IntrebuloN,

    From the error message, the issue happens while invoking the User Profile Service(UPS).

    As a temporary workaround, we can remove the UPS from the service application associations:

    1. Go to Central Administration(CA) > Application Management > Manage web applications
    2. Select the proper web application
    3. Click "Service Connections" from the Ribbon group "Manage"
    4. In the coming page, select "Custom" from "Edit the following group of connections"
    5. Select the service applications the web application needs except the UPS
    6. Click OK to apply
    7. Now, we are able to access the web application again

    For the cause of the issue, it might be:

    • 32bit .Net framework is able for the service application pool. Only 64 bit framework is allowed
    • Anonymous Access is enabled for the web application, but the UPS does not accept anonymous access

    Thanks,
    Jinchun Chen(JC)


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    • Marked as answer by IntrebuloN Wednesday, July 18, 2012 1:15 PM
    Tuesday, July 17, 2012 8:17 AM
    Moderator

All replies

  • Have you granted permissions for the application pool identity of the web application to the User Profile Service Application?

    Central Administration->User Profile Service Application Instance->Permissions

    Monday, July 16, 2012 4:51 PM
  • Thanks for the reply sir.

    No, and it was working before, but I recall making a required change to at least one app pool identity while investigating delegation as a possible culprit in the original problem.

    I'll check it out and post back my findings.

    Dave

    Monday, July 16, 2012 5:30 PM
  • Both of my custom application pool identities have full permissions to the UPSA.

    If I try to "manage" the UPSA I get a similar error, have to check logs to confirm, as soon as RDP stops timing out immediately after I connect.

    Monday, July 16, 2012 6:01 PM
  • Hi IntrebuloN,

    From the error message, the issue happens while invoking the User Profile Service(UPS).

    As a temporary workaround, we can remove the UPS from the service application associations:

    1. Go to Central Administration(CA) > Application Management > Manage web applications
    2. Select the proper web application
    3. Click "Service Connections" from the Ribbon group "Manage"
    4. In the coming page, select "Custom" from "Edit the following group of connections"
    5. Select the service applications the web application needs except the UPS
    6. Click OK to apply
    7. Now, we are able to access the web application again

    For the cause of the issue, it might be:

    • 32bit .Net framework is able for the service application pool. Only 64 bit framework is allowed
    • Anonymous Access is enabled for the web application, but the UPS does not accept anonymous access

    Thanks,
    Jinchun Chen(JC)


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    • Marked as answer by IntrebuloN Wednesday, July 18, 2012 1:15 PM
    Tuesday, July 17, 2012 8:17 AM
    Moderator
  • Thanks Jinchun,

    Users are able to access the site now.

    Anonymous access is not enabled for either web application.

    How do I check for the .Net framework version used by the service application pools? IIS?

    Wednesday, July 18, 2012 12:58 PM
  • I did not ever manually configure anything to run in 32bit .Net, so I would have to assume, since IIS web applications appear to default to 64bit, that my service applications are all running under 64bit .Net Framework.
    Wednesday, July 18, 2012 1:22 PM
  • Thanks Jinchun!!!

    After inheriting a broken server from people that no longer work for the company and at least 20 different things that logs showed could be broken, I can't believe it was that simple after all my research of trying to get the User Profile Service to start and all I had to do was to disable it to get the SharePoint server to work again. I even tried to fix it by recreating the service thanks to another post, but that failed.

    Though we are decommissioning it, I may still try to figure out how to fix that service. All I was tasked with was bringing it up so users could get the documents they wanted off the server before shutting it down for good and at least now we can do that.

    Wednesday, August 15, 2012 4:11 PM