The current user does not have the UseRemoteAPIs permission

%3CLINGO-SUB%20id%3D%22lingo-sub-1752554%22%20slang%3D%22en-US%22%3EThe%20current%20user%20does%20not%20have%20the%20UseRemoteAPIs%20permission%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752554%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EI%20setup%20trust%20for%20search%20between%20two%20farms%20according%20to%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsearch%2Fconfigure-trust-for-search-between-two-sharepoint-server-farms%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E.%20After%20configuring%20successfully%2C%20we%20use%20KQL%20query%20to%20get%20search%20results%20from%20receiving%20farm%20in%20sending%20farm.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThese%20days%2C%20a%20user%20reports%20he%20cannot%20get%20search%20result%20from%20receiving%20farm%20in%20sending%20farm%2C%20after%20checking%20the%20log%20in%20sending%20farm%2C%20I%20find%20this%20error%3CFONT%20size%3D%222%22%20color%3D%22%23FF0000%22%3E%20'Microsoft.SharePoint.Client.ServerException%3A%20Query%20execution%20is%20only%20allowed%20with%20IgnoreSafeQueryPropertiesTemplateUrl%3Dtrue%20when%20the%20user%20has%20the%20UseRemoteAPIs%20permission.'%3C%2FFONT%3E%2C%26nbsp%3B%20then%20I%20check%20the%20logs%20in%20receiving%20farm%20I%20find%20the%20message%20like%20'%3CFONT%20size%3D%222%22%20color%3D%22%23FF0000%22%3EThe%20current%20user%20does%20not%20have%20the%20UseRemoteAPIs%20permission%20but%20is%20trying%20to%20execute%20a%20query%20with%20IgnoreSafeQueryPropertiesTemplateUrl%3Dtrue.%3C%2FFONT%3E'%2C%20seems%20that%20the%20user%20doesn't%20have%20the%20UseRemoteAPIs%20permission.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20am%20not%20sure%20why%20receiving%20farm%20doesn't%20check%20out%20the%20UseRemoteAPIs%20permission%20for%20the%20user%2C%20because%20the%20use%20is%20assigned%20with%20%3CSTRONG%3Eread%3C%2FSTRONG%3E%20permission%20by%26nbsp%3B%3CSTRONG%3Evisitor%3C%2FSTRONG%3E%20group%2C%20limited%20access%20permission%20by%20style%20resources%20readers%20group.%20And%20the%20site%20collection%20feature%20%3A%20%3CEM%3ELimited-access%20user%20permission%20lockdown%20mode%3C%2FEM%3E%20has%20already%20been%20deactivated.%20Another%20end%20user%20with%20same%20permission%20can%26nbsp%3Bget%20search%20result%20from%20receiving%20farm%20in%20sending%20farm.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20am%20not%20sure%20if%20the%20permission%20failure%20is%20related%20to%20'one%20way%20trust%20domain'%20issue%3A%3C%2FP%3E%3COL%3E%3CLI%3EUser1%20is%20in%20domain%202.%3C%2FLI%3E%3CLI%3EDomain%201%20trust%20domain%202%2C%20and%20they%20are%20in%20one%20way%20trust%20domain%20relationship.%3C%2FLI%3E%3CLI%3ECurrent%20user%20has%20been%20added%20in%20a%20domain%20group%20named%20%3CU%3Eall-stuff%3C%2FU%3E%20in%20domain%201.%3C%2FLI%3E%3CLI%3EIf%20the%20document%20has%20been%20shared%20by%20%3CU%3Eall-stuff%3C%2FU%3E%26nbsp%3Bad%20group%20directly%20or%20shared%20by%20a%20SP%20group%20which%20contains%20%3CU%3Eall-stuff%3C%2FU%3E%20ad%20group%2C%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Foffice%2Fmicrosoft.sharepoint.spweb.doesuserhavepermissions.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDoesUserHavePermissions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%20method%20will%20fail%20to%20check%20User1's%20pemrission.%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3CP%20data-unlink%3D%22true%22%3EI%20try%20to%20re-produce%20this%20scenario%2C%20but%20I%20don't%20get%20error.%26nbsp%3B%20I%20try%20to%20set%26nbsp%3Bthe%20following%20properties%20for%20support%20search%20even%20if%20the%20user%20doesn't%20have%26nbsp%3BUseRemoteAPIs%20permission.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CFONT%20size%3D%222%22%3Equery.IgnoreSafeQueryPropertiesTemplateUrl%20%3D%20false%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3Equery.SafeQueryPropertiesTemplateUrl%20%3D%20%22spfile%3A%2F%2Fwebroot%2Fqueryparametertemplate.xml%22%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAs%20I%20didn't%20reproduce%20the%20error%2C%20I%20am%20not%20if%20this%20change%20can%20resolve%20the%20issue%2C%20also%20when%20I%20inspect%20the%20verbose%20logs%20in%20receiving%20farm%2C%20I%20don't%20find%20out%20the%20properties%20and%20the%20values%20information%20in%20CSOM%20request%20XML%2C%20so%20don't%20think%20this%20way%20can%20resolve%20the%20issue.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3ECan%20anyone%20give%20me%20some%20suggestions%3F%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1752554%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESearch%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%202016%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2200609%22%20slang%3D%22en-US%22%3ERe%3A%20The%20current%20user%20does%20not%20have%20the%20UseRemoteAPIs%20permission%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2200609%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F633633%22%20target%3D%22_blank%22%3E%40Yutolivo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20specifically%20related%20to%20your%20issue%20with%20search%2C%20however%20the%20when%20your%20user%20executes%20a%20search%20query%20it%20may%20be%20trying%20to%20access%20API%20at%20the%20site%20collection%20level.%26nbsp%3B%20I'll%20share%20here%20as%20well%20just%20in%20case%20it%20helps.%26nbsp%3B%20Typically%20the%20adjustment%20you%20mentioned%20in%20your%20post%20is%20for%20enabling%20Anonymous%20users%20to%20use%20SharePoint%20search%20API%20(like%20for%20web%20parts%20or%20other%20JavaScripty%20search%20customisation).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20brought%20here%20because%20I%20was%20looking%20for%20the%20reason%20why%20the%20SharePoint%20Modern%20List%20View%20experience%20was%20receiving%20a%20401%20access%20denied%20and%20then%20repeatedly%20prompting%20the%20user%20to%20login%20as%20it%20was%20trying%20to%20access%20%2F_api%2FSite%3F%24select%3DStatusBarLink%2CStatusBarText.%26nbsp%3B%20This%20issue%20will%20occur%20when%20a%20user%20has%20been%20granted%20permission%20at%20a%20sub-site%20level%20but%20does%20not%20have%20permission%20at%20the%20site%20collection%20level%20(or%20only%20has%20Limited%20Access%20at%20the%20site%20collection%20level).%26nbsp%3B%20The%20limited%20access%20is%20typically%20there%20as%20part%20of%20the%20Style%20Resource%20Readers%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20will%20see%20in%20the%20developer%20window%20a%20pending%20authorisation%20for%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.website.ca%2Fsitecollection%2Fsubsite%2F_api%2FSite%3F%24select%3DStatusBarLink%2CStatusBarText%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.website.ca%2Fsitecollection%2Fsubsite%2F_api%2FSite%3F%24select%3DStatusBarLink%2CStatusBarText%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EFollowed%20by%20access%20denied%20messages%20in%20your%20ULS%20logs%20similar%20to%3A%3C%2FP%3E%3CP%3EPermissionMask%20check%20failed%20for%20%7BGuid%7D.%20Asking%20for%200x2000010000%2C%20have%200x1008010000%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESpecifically%20it%20will%20also%20fail%20with%20UnauthorizedAccessException%20on%26nbsp%3BGetWebMetainfo%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20you%20can%20fix%20this%20is%20by%20ADDING%20the%26nbsp%3BUseRemoteAPIs%20base%20permission%20to%20the%20Limited%20Access%20role%20definition%20at%20the%20site%20collection%20root%20web%20level.%26nbsp%3B%20Please%20note%2C%20this%20should%20not%20be%20done%20for%20Anonymous%20access%20or%20public%20(internet)%20sites%20as%20it%20may%20expose%20API%20to%20attackers%20for%20Denial%20of%20Service.%26nbsp%3B%20Internally%20it%20should%20be%20OK%20to%20do%20as%20it%20simply%20allows%20end%20users%20to%20make%20calls%20to%20the%20API%20(the%20contents%20of%20the%20results%20of%20the%20API%20are%20still%20security%20trimmed).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPowershell%20you%20can%20use%20to%20resolve%20this%20is%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24siteUrl%20%3D%20%22https%3A%2F%2Fwww.website.ca%2Fsitecollection%2F%22%0A%0A%24site%20%3D%20get-spsite%20%24siteUrl%0A%24web%20%3D%20%24site.RootWeb%0A%0A%24limitedAccess%20%3D%20%24web.RoleDefinitions%5B%22Limited%20Access%22%5D%0A%24limitedAccess.BasePermissions%20%3D%20%22%24(%24limitedAccess.BasePermissions)%2C%20UseRemoteAPIs%22%0A%24limitedAccess.Update()%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EYou're%20welcome!%3C%2FP%3E%3CP%3EKevin%20Cole%20-%20SharePoint%20Microsoft%20Certified%20Master%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I setup trust for search between two farms according to this link. After configuring successfully, we use KQL query to get search results from receiving farm in sending farm.

 

These days, a user reports he cannot get search result from receiving farm in sending farm, after checking the log in sending farm, I find this error 'Microsoft.SharePoint.Client.ServerException: Query execution is only allowed with IgnoreSafeQueryPropertiesTemplateUrl=true when the user has the UseRemoteAPIs permission.',  then I check the logs in receiving farm I find the message like 'The current user does not have the UseRemoteAPIs permission but is trying to execute a query with IgnoreSafeQueryPropertiesTemplateUrl=true.', seems that the user doesn't have the UseRemoteAPIs permission. 

 

I am not sure why receiving farm doesn't check out the UseRemoteAPIs permission for the user, because the use is assigned with read permission by visitor group, limited access permission by style resources readers group. And the site collection feature : Limited-access user permission lockdown mode has already been deactivated. Another end user with same permission can get search result from receiving farm in sending farm.

 

I am not sure if the permission failure is related to 'one way trust domain' issue:

  1. User1 is in domain 2.
  2. Domain 1 trust domain 2, and they are in one way trust domain relationship.
  3. Current user has been added in a domain group named all-stuff in domain 1.
  4. If the document has been shared by all-stuff ad group directly or shared by a SP group which contains all-stuff ad group, DoesUserHavePermissions  method will fail to check User1's pemrission. 

I try to re-produce this scenario, but I don't get error.  I try to set the following properties for support search even if the user doesn't have UseRemoteAPIs permission.

query.IgnoreSafeQueryPropertiesTemplateUrl = false;
query.SafeQueryPropertiesTemplateUrl = "spfile://webroot/queryparametertemplate.xml";

As I didn't reproduce the error, I am not if this change can resolve the issue, also when I inspect the verbose logs in receiving farm, I don't find out the properties and the values information in CSOM request XML, so don't think this way can resolve the issue. 

 

Can anyone give me some suggestions? 

 

 

1 Reply

@Yutolivo 

Not specifically related to your issue with search, however the when your user executes a search query it may be trying to access API at the site collection level.  I'll share here as well just in case it helps.  Typically the adjustment you mentioned in your post is for enabling Anonymous users to use SharePoint search API (like for web parts or other JavaScripty search customisation).

 

I was brought here because I was looking for the reason why the SharePoint Modern List View experience was receiving a 401 access denied and then repeatedly prompting the user to login as it was trying to access /_api/Site?$select=StatusBarLink,StatusBarText.  This issue will occur when a user has been granted permission at a sub-site level but does not have permission at the site collection level (or only has Limited Access at the site collection level).  The limited access is typically there as part of the Style Resource Readers group.

 

You will see in the developer window a pending authorisation for

https://www.website.ca/sitecollection/subsite/_api/Site?$select=StatusBarLink,StatusBarText


Followed by access denied messages in your ULS logs similar to:

PermissionMask check failed for {Guid}. Asking for 0x2000010000, have 0x1008010000

 

Specifically it will also fail with UnauthorizedAccessException on GetWebMetainfo 

 

The way you can fix this is by ADDING the UseRemoteAPIs base permission to the Limited Access role definition at the site collection root web level.  Please note, this should not be done for Anonymous access or public (internet) sites as it may expose API to attackers for Denial of Service.  Internally it should be OK to do as it simply allows end users to make calls to the API (the contents of the results of the API are still security trimmed).

 

Powershell you can use to resolve this is:

$siteUrl = "https://www.website.ca/sitecollection/"

$site = get-spsite $siteUrl
$web = $site.RootWeb

$limitedAccess = $web.RoleDefinitions["Limited Access"]
$limitedAccess.BasePermissions = "$($limitedAccess.BasePermissions), UseRemoteAPIs"
$limitedAccess.Update()


You're welcome!

Kevin Cole - SharePoint Microsoft Certified Master