Symptoms
Error when navigating to a SharePoint List:
The remote server returned an error: (401) Unauthorized.Failed to initialize the Context: URL: USHAREPOINT_SITE_URL] Username: Error Details: Method: SharePointService.initializeContext x-ms-diagnostics : 3001000reason="There has been an error authenticating the request."category="invalid_client"
SPRequestGuid : b992789d-200f-f05d-6a8b-4604b4ceb15b
Type: SourceCode.SmartObjects.Client.SmartObjectException Source: SourceCode.SmartObjects.Client Method Base Member
Diagnoses
1) Duplicate User Profiles: In the ULS logs we saw the following error:
Error trying to search in the UPA. The exception message is 'Microsoft.Office.Server.UserProfiles.DuplicateEntryException: GetUserProfileByPropertyValue: Multiple User Profiles found with propertyName 'SPS-UserPrincipalName' of specified value
2) ClaimTypeMapping incorrect: Using the K2HostServer Logs we could see the following:
"Error","SmartObjects","10702","Error","SourceCode.SmartObjects.ServiceBroker tExecuteSmartObject]","10702 An error occurred in the SHAREPOINT_SITE_NAME] Service Instance. The remote server returned an error: (401) Unauthorized.Failed to initialize the Context
Just before the error I saw the following:
"Debug","General","0","DebugMessage","SourceCode.Security.OAuth.Service.OAuthService.GetOAuthToken","0 Decoded OAuth Token for Resource='SHAREPOINT_SITE_NAME' ResourceAudience='RESOURCE_AUDIENCE' CredentialID='CREDENTIAL_GUID'
The credentials we used was an ADFS credential, so we mapped the Credential GUID back to the SecurityProvider that was set to "SourceCode.Hosting.SecurityProviders.SSPI" So this means that the user being returned is: K2: USERNAME] (Windows Account)
Resolution
1) We removed the duplicate UserProfile
2) We updated the ClaimTypeMapping and set the ADFS type mapping from 'K2' to 'K2ADFS'