Symptoms
One of the users was moved from one domain to another by accident. Then the same user was moved back to original domain. Since then user is getting the following error when using the K2 App for SharePoint 2013:
The remote server returned an error: (401) Unauthorized.Failed to initialize the Context: URL:
%URL% USername: Error Details: Method:
reason="There has been an error authenticating the request"
User has been removed from the site's All Users and re-added again. This temporarily resolved the issue, but after one day problem is back again.
Diagnoses
Essentially what is happened is:
1. User was moved -> New SID was generated for the user
2. User was moved back -> New SID was generated for the user -> The user has the Initial and the second SID in the AD DS SID history.
3. The SID sent in the XML file is matching the current SID of the user and is also matching the SID stored in K2 identity tables ( K2].]HostServer].]SecurityCredentialCache])
So essentially everything is correct between K2 and AD DS.
Based on error message we can see that this is an issue with SP User Profile Service. For OAuth tokens to work following properties have to be populated:
SPS-ClaimID
SPS-ClaimProviderID
SPS-ClaimProviderType
SPS-UserPrincipalName
You can check the results of GetMyProperties method and most likely affected user will have some essential properties missing. E.g.:
SPS-ClaimID
SPS-ClaimProviderID
Windows
SPS-ClaimProviderType
Windows
SPS-UserPrincipalName
user@domain.com
You may see that, for example, SPS-ClaimID is not populated, you may also have a look at GetMyProperties results for a user who doesn't have any issues and see which properties are populated for him.
For additional details please see this MSFT KB:
https://technet.microsoft.com/en-us/library/gg750254(v=office.14).aspx
"In claims-based Web applications, SharePoint Server uses the Claim User Identifier property (SPS-ClaimID) to match an authenticated user to the correct user profile. If the SPS-ClaimID is not mapped to the directory service attribute that you want to use as the user identifier, when a user is authenticated, he or she is not matched to the correct user profile and will not see the imported user profile data.
To resolve this issue, map the SPS-ClaimID property to the directory service attribute that uniquely identifies the user and then start a full profile synchronization. For example, if you are using a trusted identity provider for authentication that uses the e-mail address as the identity claim, map the SPS-ClaimID property to the mail attribute. For more information about mapping profile properties, see Map user profile properties in "Configure profile synchronization"."
In order to check that UPA properties are populated correctly for specific user ask this user to login to SharePoint and navigate to the following page:
https:///_api/SP.UserProfiles.PeopleManager/GetMyProperties
This should return all UPA propeerties for the user. For OAuth tokens to work correctly following properties should be popluated: SPS-ClaimID, SPS-ClaimProviderID, SPS-ClaimProviderType, and SPS-UserPrincipalName.
Resolution
Make sure that SharePoint UPA is configured correctly and run the Profile Sync for the affected user to resolve this issue.