Why the tokenGroupsGlobalAndUniversal (TGGAU) attribute matters in SharePoint 2010

I’ve seen more than one major issue affecting multiple service applications due to the same cause. If SharePoint 2010 service accounts don’t have appropriate rights in Active Directory, you may see common things fail like the following:

For Example:

Related to Search: Attempting to search throws “Unable to display this web part” error.

Related to Profiles: Unable to provision user profile synchronization service “local instance” on a server.

For both of these issues, the ULS logs contain the following event:

AuthzInitializeContextFromSid failed with GLE: 5

In SharePoint 2010, most service accounts require some specific access to Active Directory or certain functions will fail. SharePoint 2010 uses AuthzInitializeContextFromSid function. In a service application scenario, this function runs under the context of the associated service account and performs an S4U logon.

From MSDN:

AuthzInitializeContextFromSid attempts to retrieve the user’s token group information by performing an S4U logon.

In order to call the AuthzInitializeContextFromSid, the caller “service account” needs to able to read the TGGAU attribute. In Windows 2000 and Windows 2003 domain, members of the Pre-Windows 2000 Compatibility Access group are able read the TGGAU attribute. At a minimum, certain service accounts like the search service account need to be a member of this group. See the resources section for more information.




Comments are closed, but trackbacks and pingbacks are open.