Forum Discussion

Yutolivo's avatar
Yutolivo
Copper Contributor
Oct 07, 2020

The current user does not have the UseRemoteAPIs permission

I setup trust for search between two farms according to this https://docs.microsoft.com/en-us/sharepoint/search/configure-trust-for-search-between-two-sharepoint-server-farms. After configuring succe...
Search
SharePoint 2016
KevinColeMCM's avatar
KevinColeMCM
Copper Contributor
Mar 10, 2021

Yutolivo 

Not specifically related to your issue with search, however the when your user executes a search query it may be trying to access API at the site collection level.  I'll share here as well just in case it helps.  Typically the adjustment you mentioned in your post is for enabling Anonymous users to use SharePoint search API (like for web parts or other JavaScripty search customisation).

 

I was brought here because I was looking for the reason why the SharePoint Modern List View experience was receiving a 401 access denied and then repeatedly prompting the user to login as it was trying to access /_api/Site?$select=StatusBarLink,StatusBarText.  This issue will occur when a user has been granted permission at a sub-site level but does not have permission at the site collection level (or only has Limited Access at the site collection level).  The limited access is typically there as part of the Style Resource Readers group.

 

You will see in the developer window a pending authorisation for

https://www.website.ca/sitecollection/subsite/_api/Site?$select=StatusBarLink,StatusBarText


Followed by access denied messages in your ULS logs similar to:

PermissionMask check failed for {Guid}. Asking for 0x2000010000, have 0x1008010000

 

Specifically it will also fail with UnauthorizedAccessException on GetWebMetainfo 

 

The way you can fix this is by ADDING the UseRemoteAPIs base permission to the Limited Access role definition at the site collection root web level.  Please note, this should not be done for Anonymous access or public (internet) sites as it may expose API to attackers for Denial of Service.  Internally it should be OK to do as it simply allows end users to make calls to the API (the contents of the results of the API are still security trimmed).

 

Powershell you can use to resolve this is:

$siteUrl = "https://www.website.ca/sitecollection/"

$site = get-spsite $siteUrl
$web = $site.RootWeb

$limitedAccess = $web.RoleDefinitions["Limited Access"]
$limitedAccess.BasePermissions = "$($limitedAccess.BasePermissions), UseRemoteAPIs"
$limitedAccess.Update()


You're welcome!

Kevin Cole - SharePoint Microsoft Certified Master

Resources