Sharepoint - Access Denied while setting Metadata Store Permission

Our solution was to go to SP Central Admin > System Settings > Services on Server and start the "Claims to Windows Token Service". We also found this error in the logs which helped lead us to this as the solution:

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='PRMM-SP\polyadmin', UPN='[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2 that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.IO.PipeException: The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.

For us I feel that this situation may only occur because the user we are trying to add in the metadata permissions has both an AD and ADFS (claims) entry. I have seen where EnsureUser or some other API call fails when you have identical IDs across two user stores.


It sounds as though need to go into your Business Data Connectivity Service Application, and set the permissions on the object. First, go to Central Administration->Application Management->Manage service applications. Find your Business Data Connectivity service application and go to the Manage page. Select the external content type and go to Set Permissions on the ECB menu, or the Set Object Permissions on the ribbon. From the Set Object Permissions pop-up dialog page you can add accounts and set their permissions. You will need to give the user who is logging in to SharePoint at least Execute permission to be able to see the list items (not to be confused with the account that will access the database).

I have blogged a few error messages like this one that keep catching me out.