Right now, we are facing some weird issue when adding our app to customer's SharePoint site. When site collection admin clicks our app to add it, he would get a popup page with title "Access Required" and message "Sorry, you don't have access to this page", however he is already site collection admin.
At the SharePoint logs, we saw the following exceptions:
SPSecurityContext: Could not retrieve a valid windows identity for username 'company\user' with UPN 'user@company.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
(note, I changed the user name to some generic name there)
after that, we also saw another exception:
No windows identity for company\user Access Denied. Exception: Attempted to perform an unauthorized operation., StackTrace: at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex) at Microsoft.SharePoint.SPAppPrincipalPermissionsManager.UpdateAppOnlyPolicy(SPAppPrincipalInfo appPrincipal, Boolean allowAppOnlyPolicy) at Microsoft.SharePoint.ApplicationPages.AppAuthorizePageBase.GrantAppAccess() at Microsoft.SharePoint.ApplicationPages.AppInvPage.BtnAllow_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error) at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb) at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) .
I did some reading over the SharePoint code and also searched over internet, I found out this link: Adding App Causes Security Error where the similar error is thrown as well and he fixed the issue by reconfiguring the c2wts services. His issue is slightly different from mine. In his case, end users won't be able to add in the first time and they would get "You Can't Add This App Here" message while in our case the error is thrown during adding the app.
Why we would need the c2wts services here for adding an app if user is already logged in SharePoint via windows authentication? Could someone confirm that would be the root cause for this failure since I also see the stack related " at Microsoft.SharePoint.SPAppPrincipalPermissionsManager.UpdateAppOnlyPolicy(SPAppPrincipalInfo appPrincipal, Boolean allowAppOnlyPolicy)", just wonder if AppOnlyPolicy=true which our app requires has anything to do with this as well. Again, I could not find anything related article about that specific configuration is required to allow app with AppOnlyPolicy.
Another weird thing is that it only happens at sites with managed path. At root site, the app could be added without any problem.
Any suggestions are highly welcome and really appreciated. This is on a big customer. :-) Thanks in advance for your insights.