ValidateCredentialClaims - Access Denied: Claims stored in the credentials did not match with the group claim for a group app

i try to create an access services 2013 database and i get that error and nothing works
i deleted the secure store and recreated it.
didn't help.

Same exact error.
Access services are running under their own domain account like it says to do in the provisioning guide!..
Very frustrated here

this is the users it claims to be, NT AUTHORITY\IUSR
ValidateCredentialClaims - Access Denied: Claims stored in the credentials did not match with the group claim for a group app.

GetRestrictedCredentials failed with the following exception: System.ServiceModel.FaultException`1[Microsoft.Office.SecureStoreService.Server.SecureStoreServiceFault]: Access is denied to the Secure Store Service. (Fault Detail is equal to Microsoft.Office.SecureStoreService.Server.SecureStoreServiceFault).

do i need to add this users to the registered secure store  users??
LVL 10
Jay ToopsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bob LearnedCommented:
Did you try these steps?

Access Denied : Claims stored in credentials did not match with group claim for a group app
http://splearningcurve.blogspot.com/2013/05/access-denied-claims-stored-in.html
Jay ToopsAuthor Commented:
I cant follow this because there is no "target application" for an Access Services App, I am assuming access services 2013 uses it kind of under the hood for some reason, but none of the guides i have seen have asked for anything to be setup other than the secure store master key.
Jay ToopsAuthor Commented:
this seems to be a permission problem of some kind...
however i can use access services to CREATE the MS Access 2013 App.. but then it refuses to authenticate when any request comes in to view it.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Bob LearnedCommented:
Be patient with me, as I am out of my depth when it comes to SharePoint, and definitely with Access Services, since I have never needed nor used it.

I am reviewing articles like this (although they may not prove to be useful):

Set up and configure Access Services 2010 for web databases in SharePoint Server 2013
https://technet.microsoft.com/en-us/library/ee748653.aspx

But, you may also request that this question be deleted, if you wish, if you need a quick resolution.
Bob LearnedCommented:
We shouldn't disregard the easy:

https://social.technet.microsoft.com/Forums/office/en-US/e0a24bed-d044-4695-bdab-49eec81adec5/validatecredentialclaims-access-denied-claims-stored-in-the-credentials-did-not-match-with-the?forum=sharepointadminprevious

I have restarted all my servers (I created above user groups and immediately used them), since then, all works fine

Usually servers are not restarted, so it might be easily overlooked.
Bob LearnedCommented:
Everything seems to point to the Secure Store Service, and administering the target application, which is confusing to me:

How to resolve "Access is denied to the Secure Store Service." error in SharePoint 2013
http://ragavj.blogspot.com/2015/02/how-to-resolve-access-is-denied-to.html

The best way to resolve this issue is to check the configured Target Application ID, especially "Members - The users and groups that are mapped to the credentials defined for this Target Application." and ensure proper user or group is entered (by clicking the "Edit" option on the Target Application in under Secure Store Service Application Administration screen -  Central Admin > Application Management > Manage Service Applications > Secure Store Service and Edit the Target Application ID > Click on Next till you get to the third page and set the field "Members" with the proper users/groups who will access this External list from SharePoint - in my example I set to "All Users")
Jay ToopsAuthor Commented:
i have restarted all the servers in the farm. No help ..

Access services does not ADD a target application ID to the secure store list.... so i cannot perform this task ..


I can create an access 2013 app using my personal domain ID on my sharepoint 2013 server
I can see it creating a database on the server for it...

However when i go to open the app i get


Sorry, there was a problem with db1
etc etc ...
Correlation ID: cf9e089d-1b1d-10ca-a35d-b1bfb65de3eb

I look up the correlation id in the ULS and i find these errors



SecureStoreServices.GetSecureStoreLogin: Unable to get the secure store credentials. Exception: Microsoft.Office.SecureStoreService.Server.SecureStoreServiceException: Access is denied to the Secure Store Service.    
 at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.Execute[T](String operationName, Boolean validateCanary, ExecuteDelegate`1 operation)    
 at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.GetRestrictedCredentials(Guid rawPartitionId, String applicationId)    
 at Microsoft.Office.SecureStoreService.Server.SecureStore.GetRestrictedCredentials(String applicationId)    
 at Microsoft.Office.Access.Services.MossHost.SecureStoreServices.<>c__DisplayClassb.<GetSecureStoreLogin>b__9()    
 at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()    
 at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)    
 at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)    
 at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)    
 at Microsoft.Office.Access.Services.MossHost.SecureStoreServices.GetSecureStoreLogin(String loginTargetApplicationId, LoginType loginType)
 
 
 Microsoft.Office.Access.Services.Proxy.AccessServerSessionException: Sorry, your changes could not be saved. Please refresh your browser and try again.     at Microsoft.Office.Access.Services.Proxy.ServerSession.ExecuteWebMethodCore(WebMethodType webMethodType, WebMethodBehaviorAttribute webMethodBehavior, CommandParameter parameter, CoreWebMethod coreWebMethod)     at Microsoft.Office.Access.Services.Proxy.ServerSession.ExecuteWebMethod(WebMethodType webMethodType, WebMethodBehaviorAttribute webMethodBehavior, CommandParameter parameter, CoreWebMethod coreWebMethod)
Bob LearnedCommented:
I think that you should open another question, and ask if you need to create a target application in order to access the Secure Store.

SharePoint: Retrieving Credentials from the Secure Store Application using C#
http://social.technet.microsoft.com/wiki/contents/articles/20110.sharepoint-retrieving-credentials-from-the-secure-store-application-using-c.aspx

Creating a Target Application in the Secure Store
Jay ToopsAuthor Commented:
Ok the basic resolution for this was that the database user the secure store app was using was not a member of the proper groups it needed to have "security admin" and "DBO" added.

I think what happend was the inital secure store was corrupted for some reason (or not properly configured")

(note: i didn't install it) ... it seemed to work fine for "regular" secure store setup creation etc, but not for Access Services 2013

Jay

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bob LearnedCommented:
Jay,

That is good to know.  I think it would have taken a few too many shots in the dark to reach that conclusion.
Jay ToopsAuthor Commented:
The comments were helpful, but it took a considerable amount of additional research before
I got to the root cause,
Bottom line, Share Point Access Services is a Box of snakes and has the worst installation package/plan i have ever seen.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.