The current user does not have the UseRemoteAPIs permission

%3CLINGO-SUB%20id%3D%22lingo-sub-1752554%22%20slang%3D%22en-US%22%3EThe%20current%20user%20does%20not%20have%20the%20UseRemoteAPIs%20permission%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752554%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EI%20setup%20trust%20for%20search%20between%20two%20farms%20according%20to%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsearch%2Fconfigure-trust-for-search-between-two-sharepoint-server-farms%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E.%20After%20configuring%20successfully%2C%20we%20use%20KQL%20query%20to%20get%20search%20results%20from%20receiving%20farm%20in%20sending%20farm.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThese%20days%2C%20a%20user%20reports%20he%20cannot%20get%20search%20result%20from%20receiving%20farm%20in%20sending%20farm%2C%20after%20checking%20the%20log%20in%20sending%20farm%2C%20I%20find%20this%20error%3CFONT%20size%3D%222%22%20color%3D%22%23FF0000%22%3E%20'Microsoft.SharePoint.Client.ServerException%3A%20Query%20execution%20is%20only%20allowed%20with%20IgnoreSafeQueryPropertiesTemplateUrl%3Dtrue%20when%20the%20user%20has%20the%20UseRemoteAPIs%20permission.'%3C%2FFONT%3E%2C%26nbsp%3B%20then%20I%20check%20the%20logs%20in%20receiving%20farm%20I%20find%20the%20message%20like%20'%3CFONT%20size%3D%222%22%20color%3D%22%23FF0000%22%3EThe%20current%20user%20does%20not%20have%20the%20UseRemoteAPIs%20permission%20but%20is%20trying%20to%20execute%20a%20query%20with%20IgnoreSafeQueryPropertiesTemplateUrl%3Dtrue.%3C%2FFONT%3E'%2C%20seems%20that%20the%20user%20doesn't%20have%20the%20UseRemoteAPIs%20permission.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20am%20not%20sure%20why%20receiving%20farm%20doesn't%20check%20out%20the%20UseRemoteAPIs%20permission%20for%20the%20user%2C%20because%20the%20use%20is%20assigned%20with%20%3CSTRONG%3Eread%3C%2FSTRONG%3E%20permission%20by%26nbsp%3B%3CSTRONG%3Evisitor%3C%2FSTRONG%3E%20group%2C%20limited%20access%20permission%20by%20style%20resources%20readers%20group.%20And%20the%20site%20collection%20feature%20%3A%20%3CEM%3ELimited-access%20user%20permission%20lockdown%20mode%3C%2FEM%3E%20has%20already%20been%20deactivated.%20Another%20end%20user%20with%20same%20permission%20can%26nbsp%3Bget%20search%20result%20from%20receiving%20farm%20in%20sending%20farm.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20am%20not%20sure%20if%20the%20permission%20failure%20is%20related%20to%20'one%20way%20trust%20domain'%20issue%3A%3C%2FP%3E%3COL%3E%3CLI%3EUser1%20is%20in%20domain%202.%3C%2FLI%3E%3CLI%3EDomain%201%20trust%20domain%202%2C%20and%20they%20are%20in%20one%20way%20trust%20domain%20relationship.%3C%2FLI%3E%3CLI%3ECurrent%20user%20has%20been%20added%20in%20a%20domain%20group%20named%20%3CU%3Eall-stuff%3C%2FU%3E%20in%20domain%201.%3C%2FLI%3E%3CLI%3EIf%20the%20document%20has%20been%20shared%20by%20%3CU%3Eall-stuff%3C%2FU%3E%26nbsp%3Bad%20group%20directly%20or%20shared%20by%20a%20SP%20group%20which%20contains%20%3CU%3Eall-stuff%3C%2FU%3E%20ad%20group%2C%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Foffice%2Fmicrosoft.sharepoint.spweb.doesuserhavepermissions.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDoesUserHavePermissions%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%20method%20will%20fail%20to%20check%20User1's%20pemrission.%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3CP%20data-unlink%3D%22true%22%3EI%20try%20to%20re-produce%20this%20scenario%2C%20but%20I%20don't%20get%20error.%26nbsp%3B%20I%20try%20to%20set%26nbsp%3Bthe%20following%20properties%20for%20support%20search%20even%20if%20the%20user%20doesn't%20have%26nbsp%3BUseRemoteAPIs%20permission.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CFONT%20size%3D%222%22%3Equery.IgnoreSafeQueryPropertiesTemplateUrl%20%3D%20false%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%222%22%3Equery.SafeQueryPropertiesTemplateUrl%20%3D%20%22spfile%3A%2F%2Fwebroot%2Fqueryparametertemplate.xml%22%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAs%20I%20didn't%20reproduce%20the%20error%2C%20I%20am%20not%20if%20this%20change%20can%20resolve%20the%20issue%2C%20also%20when%20I%20inspect%20the%20verbose%20logs%20in%20receiving%20farm%2C%20I%20don't%20find%20out%20the%20properties%20and%20the%20values%20information%20in%20CSOM%20request%20XML%2C%20so%20don't%20think%20this%20way%20can%20resolve%20the%20issue.%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3ECan%20anyone%20give%20me%20some%20suggestions%3F%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1752554%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESearch%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%202016%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I setup trust for search between two farms according to this link. After configuring successfully, we use KQL query to get search results from receiving farm in sending farm.

 

These days, a user reports he cannot get search result from receiving farm in sending farm, after checking the log in sending farm, I find this error 'Microsoft.SharePoint.Client.ServerException: Query execution is only allowed with IgnoreSafeQueryPropertiesTemplateUrl=true when the user has the UseRemoteAPIs permission.',  then I check the logs in receiving farm I find the message like 'The current user does not have the UseRemoteAPIs permission but is trying to execute a query with IgnoreSafeQueryPropertiesTemplateUrl=true.', seems that the user doesn't have the UseRemoteAPIs permission. 

 

I am not sure why receiving farm doesn't check out the UseRemoteAPIs permission for the user, because the use is assigned with read permission by visitor group, limited access permission by style resources readers group. And the site collection feature : Limited-access user permission lockdown mode has already been deactivated. Another end user with same permission can get search result from receiving farm in sending farm.

 

I am not sure if the permission failure is related to 'one way trust domain' issue:

  1. User1 is in domain 2.
  2. Domain 1 trust domain 2, and they are in one way trust domain relationship.
  3. Current user has been added in a domain group named all-stuff in domain 1.
  4. If the document has been shared by all-stuff ad group directly or shared by a SP group which contains all-stuff ad group, DoesUserHavePermissions  method will fail to check User1's pemrission. 

I try to re-produce this scenario, but I don't get error.  I try to set the following properties for support search even if the user doesn't have UseRemoteAPIs permission.

query.IgnoreSafeQueryPropertiesTemplateUrl = false;
query.SafeQueryPropertiesTemplateUrl = "spfile://webroot/queryparametertemplate.xml";

As I didn't reproduce the error, I am not if this change can resolve the issue, also when I inspect the verbose logs in receiving farm, I don't find out the properties and the values information in CSOM request XML, so don't think this way can resolve the issue. 

 

Can anyone give me some suggestions? 

 

 

0 Replies