I'm trying to follow along with the SDK example "How to retrieve a User Profile".  I am calling the UserProfileManager constructor with a SPServiceContext object.

When I run this code as the farm account i.e. the service account the User Profile Service Application is running as, everything is fine.  However when I run this code as a normal user who is a Farm Admin, a User Profile Service App Admin and who has been granted Shell Access to all databases, I get an exception:

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.

   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()

   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.CheckAdministrationAccess(UserProfileApplicationAdminRights rights, Boolean requireAllRights)

   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.CheckAdministrationAccess(UserProfileApplicationAdminRights rights)

   at Microsoft.Office.Server.UserProfiles.ProfileManagerBase.CanManagePeople(UserProfileApplicationProxy userProfileApplicationProxy)

   at Microsoft.Office.Server.UserProfiles.ProfileManagerBase.get_IsProfileAdmin()

   at Microsoft.Office.Server.UserProfiles.UserProfileManager..ctor(SPServiceContext serviceContext, Boolean IgnoreUserPrivacy, Boolean backwardCompatible)

   at Microsoft.Office.Server.UserProfiles.UserProfileManager..ctor(SPServiceContext serviceContext)

   at UserProfilesGetProperty.Program.Main(String[] args)

 

From the ULS logs, I can tell that it is failing with an Access is Denied error message for some WCF related User Profile calls.  But I can't see how that could be when I am a farm, service app and shell admin for all databases.

 

Any thoughts would be appreciated.  Thanks...

Sounds like you need to give access to users in the Profile Service Application,

Central Admin -> Manager Applications -> Manage Service Applications

Find your instance of the User Profile Service Application, highlight it and click Manage oin the ribbon.

On that page, you should see permissions.  Click that, then click the people picker to add new users, Click All Users tab on the left, and give all users of every authentication method your using access to use Social Features etc.

Being a farm administrator doesn't matter, if the User Profile Service is not configured to let authenticated users of X auth method use it, it will throw access denied errors every time.

#2,

Some stuff in the user profile classes can only be done my User Profile Administrators,

And looking at your code, it looks like it's trying to get administration access to the user profile service application.  So in the same place as above, click the row "not the link" for user Profile service application, then in the ribbon click Administrators.

Give your account that is a Farm Admin, Administrative rights of the USer Profile Service.  Then your code should work.

Actually all authenticated users have all User Profile SA Permissions and the my user account is explicitly a User Profile Service Application Administrator with Full Control.

Do you have a code snippet?

Sure...I am doing something dead simple:

 

using (SPSite site = new SPSite("http://sp.example.com/")) {
  SPServiceContext context = SPServiceContext.GetContext(site);
  UserProfileManager profileManager = new UserProfileManager(context);
  string sAccount = @"thedomain\theaccount";
  UserProfile u = profileManager.GetUserProfile(sAccount);
   
  Console.WriteLine(u[PropertyConstants.WorkEmail].Value);
}

It fails on the UserProfileManager constructor.

1.  Is that url "http://sp.example.com/" the same url as the site the code is running on, if it is scratch all that and just do "UserProfileManager profileManager = new UserProfileManager(); //that will use the current context.

2.  If that URL isn't the same site as the site this code is being run on, then you need to fix your Service Associations.

The UserProfileManager pulls profiles from the User Profile Service Application.  If more than one webapp on your farm needs to access those user profiles, instead of trying to get the context for the other web app, you should Associate that User Profile Service with BOTH web applications so each web application would have a Proxy to the same UserProfile Service application, then you can do

UserProfileManager profileManager = new UserProfileManager() on both web applications and they'll be accessing the same user profile store. (you should avoid opening new SPSite and SPWeb objects wherever possible, spinning one of those up Eats a TON of ram, that's why they need to be disposed and why doing so is of such extreme importance.

Service Applications in 2010 are designed so you don't have to do that cross site context stuff, multiple web apps can use the same search service, user profile service, meta data term store service etc etc.  And a web application can have multiple services of X type associated with it, but I don't think user profile manager supports doing that.

 

And Finally, All Authenticated Users isn't always good enough.

 

E.g. If your using a Forms Based Authentication, or a Custom TrustedIdentityProvider, They don't count as an Authenticated User, you would need to add "All Users (MembershipProviderHere) and All Users(IdentityProviderHere)".  Reason being, for something to qualify as a MembershipProvider they would have to be logged in, but for something to qualify as a Windows User you wouldn't have to be logged in "Because even logged in anonymously your still a windows user of IIS_USR" so All Authenticated Users is a Windows/AD thing.

If your getting access denied logged in on a Windows Account, then it's Likely that the CONTEXT you are passing in to the UserProfileManager doesn't grant access to the user your logged in as, so the SPSite "http://sp.example.com" is what's giving you the access denied,

If you think about that in detail, You are logged in on the Current Site "blah.com", and you are spinning up a web site "http://sp.example.com/" which you are not logged in to, So the user profile manager is returning access denied, because that context isn't authenticated and your only granting access to Authenticated Users.

It's for that reason that I tell you to refer to #2. Because to get your way working, you would need to set up some form of SSO so that when you log into http://blah it logs you into http://sp.example.com/ as well.  Or you could wrap your User Profile code in SPSecurity.RunWithElevatedPrivileges which would run it as the apppool Identity which is an Authenticated User.

Hi Mark,

I can reproduce the issue based on your description.

The cause for the issue the user(in this case, it means the user who is not the service account) does not have the permissions for impersonation.
The user or group running the user profile service application must have permissions set in the User Profile Service application.
The user can not be a Farm Account, a User Profile Service application administrator, but it must have the permissions set for impersonation.

So, to solve the issue, please follow these steps:

1. Open the SharePoint 2010 Central Administration page, and then click Manage Service Applications.
2. Select the row for the User Profile Service application. Instead of clicking the name, select the row to highlight it.
3. On the Service Applications tab, click Permissions.
4. In the Connection Permissions for User Profile Service Application dialog box, add the user or group that needs permission to run impersonation applications. After you click Add, and the user name shows in the list of claims, select the added user in the list and then select the Full Control check box. Otherwise, the user is not added when you click OK. Full Control is the only option.
5. To ensure that the user or group is added, reopen the Connection Permissions for User Profile Service Application dialog box and confirm that the new user or group displays in the list of claims.

After that, you will be able to run the code: UserProfileManager profileManager = new UserProfileManager(contect);

If there is anything unclear, please feel free to ask.

Thanks,
Jinchun Chen

Hi Ryan,

This is a console app so that is why I am using a SPSite as the means to populate the SPServiceContext.  Also this code runs unmodified when runas the farm/user profile sa account.

This farm is a simple implementation, just a single content web app and we are using NTLM auth without any custom or claims based auth providers.

Thanks Jin.  That worked like a champ.  I hadn't seen any references to the use of those settings anywhere.  I assume that for other service apps, their permissions settings would need to be altered as well to use them in a standalone console app?

Hi Mark,

A little confused, I cannot receive the mail alert, so later to reply you.

You are right. That is for other service applications. However, it is same to User Profile Service application. The Permission tab is used to set the impersnoation permissions.

As a matter of fact, it is not matter if we are using a standalone console application or not, but it is the credential concerned. If we use a credential to create the UserProfileManager and the credential does not have permissions to impersonate. The console application will fail.

Thanks,
Jinchun Chen

I have the same issue when running a console app to call the UserProfileManager constructor with SpServicecontext object with the service account that

1. is the farm account 2. is included in the admins for the User profile Service App 3. also has the full control on the "Permissions" tab on the User Profile Service App.

Not sure what I am missing here, getting the following exception: 

 System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.CheckAdministrationAccess(UserProfileApplicationAdminRights rights, Boolean requireAllRights)
   at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.CheckAdministrationAccess(UserProfileApplicationAdminRights rights)
   at Microsoft.Office.Server.UserProfiles.ProfileManagerBase.CanManagePeople(UserProfileApplicationProxy userProfileApplicationProxy)
   at Microsoft.Office.Server.UserProfiles.ProfileManagerBase.get_IsProfileAdmin()
   at Microsoft.Office.Server.UserProfiles.UserProfileManager..ctor(SPServiceContext serviceContext, Boolean IgnoreUserPrivacy, Boolean backwardCompatible)
   at Microsoft.Office.Server.UserProfiles.UserProfileManager..ctor(SPServiceContext serviceContext)

 Any thoughts? appreciate your help on this..

Thanks,

Sree

Hi Sree,

Thank you for your posting.

As this thread was closed, could you please open a new thread for your question?

Thanks,
Jinchun Chen

Worked for me! Thanks