Hi !
I've been ask to provision User's MySite for some users with Powershell.
I've basicly ask my friend Google in order to save time.
I'm working within a specific environment (description below)
About the webapp:
- The webapp hosting the MySiteHost (https://mySiteHostUrl/) is based on CLAIMS authentication and the authentication provider is ADFS nad using SSL on port 443.
- This webapp is only accessible to all authenticated user from ADFS ; Self-Service Site Creation is ENABLED.
- This webapp has been extended (Zone Custom with NTLM, http://mySiteHostUrlNTLM/) in order to ensure the administration of the MySi collection with a specific admin using Windows Auth
About the User-Profile Service App:
- Re-Created from Scratch
- User Connection is correct, the sync with ADFS is successfull
- User Profile Properties Mapping and Sync is OK
- When a user manually trigger the MySite Creation (from the MySite Host), the site is successfully created.
About the user (let's call him ShellAdmin) which is executing the script :
- He has the permission SharePoint_Shell_Access on the SharePoint Config.
- He has been promoted "Farm Administrator" via the Central Admin
- He is Local Admin
- He has Full Control Permissions on the User-Profile Service App
About the Powershell Script:
I've searched on the web a suitable Powershell script:
[Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server")
$mysiteHostUrl = "https://mySiteHostUrl/"
$mysiteAdmin = "DOMAIN\Admin"
$mysite = Get-SPSite $mysiteHostUrl
$context = [Microsoft.Office.Server.ServerContext]::GetContext($mysite)
$upm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)
$AllProfiles = $upm.GetEnumerator()
foreach($profile in $AllProfiles)
{
$DisplayName = $profile.DisplayName
$UserName = $profile.UserName
$AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value
if($Accountname -match "UserAccountName")
{
$profile.CreatePersonalSite();
}
}
$mysite.Dispose();
The Error:
In fact, this script is working on DEV Environment (NTLM / Windows Auth) and not on PROD Environment (ADFS / Claims)
When we run this script we have the following error in the console:
Exception calling "CreatePersonalSite" with "0" argument(s): "A failure was encountered while attempting to create the site." At C:\mydesk\myDesk.ps1:46 char:30+ $profile.CreatePersonalSite <<<< ();+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException+ FullyQualifiedErrorId : DotNetMethodException
In the Event Manager and also the ULS, we have more details
My Site creation failure for user 'i:0\.t|adfs saml provider|UserAccountName' for site url 'https://mySiteHostUrl/personal/UserAccountName'. The exception was: Microsoft.Office.Server.UserProfiles.PersonalSiteCreateException: A failure was encountered while attempting to create the site. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.Library.SPRequest.SscCreateSite(Guid gApplicationId, String bstrUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, String bstrTitle, String bstrDescription, UInt32 nLCID, String bstrOwnerLogin, String bstrOwnerUserKey, String bstrOwnerName, String bstrOwnerEmail, String bstrSecondaryContactLogin, String bstrSecondaryContactUserKey, String bstrSecondaryContactName, String bstrSecondaryContactEmail, Boolean bADAccountMode, Boolean bHostHeaderIsSiteName, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision) at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName) at Microsoft.SharePoint.SPSite.SelfServiceCreateSite(String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String contactLogin, String contactName, String contactEmail, String quotaTemplate, SPSiteSubscription siteSubscription) at Microsoft.Office.Server.UserProfiles.UserProfile.<>c__DisplayClass2.<CreateSite>b__0() --- End of inner exception stack trace --- at Microsoft.Office.Server.UserProfiles.UserProfile.<>c__DisplayClass2.<CreateSite>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) at Microsoft.Office.Server.UserProfiles.UserProfile.CreateSite(String strRequestUrl, Boolean bCollision, Int32 lcid).
My questions ?
What should I do in order to make it works ? I've no idea of why there is an Access Denied.
I found this blog post http://blogs.technet.com/b/hablamoss/archive/2010/12/29/sharepoint-2010-spsitecollection-add-usando-claims-produce-access-denied.aspx, and I'm puzzled (I'm not a Spanish Native Speaker), I'm not sure that I understand well..."SharePoint 2010 - SPSiteCollection.add usando Claims produce access denied."
Does someone experienced the same thing ?
Does someone find a workaround ?
Thanks a lot for any insights.
Regards,
Notre-Dame