Non site collection admins unable to publish from MS project

We had a strange issue recently with TFS integrated with project server. Users who were not site collection admins weren’t able to use MS project to publish a project that was mapped to TFS.

It was working fine for admins.

We decided to get the root of it and took a fiddler trace.

When we use this account to access MSProject – the following is logged in fiddler

SOAPAction: "https://schemas.microsoft.com/TeamFoundation/2008/01/Services/PsiExtension/01/GetMappedProjectInfo"

Failure - <faultcode>PermissionDenied</faultcode>

              <faultstring><PSIEXTENSIONERROR>|Error_NotProjectManager</faultstring> 

This wasn’t of much help as the user was a project manager.

At the same time in ULS logs we saw this

Impersonation is not supported in SharePoint permission mode

Unhandled exception in the process of routing the request to the app server: Target=https://server/pwa/_vti_bin/PSI/Security.asmx, exception=[InvalidOperationException] Operation is not valid due to the current state of the object., StackTrace=   at Microsoft.Office.Project.Server.WcfTrustedFacadeHelperMethods.TryGetImpersonationContextInfo(String originalTargetUrl, OperationContext context, ImpersonationHeader& impersonationHeader)    

Connectivity exception [InvalidOperationException] Operation is not valid due to the current state of the object when forwarding request to app server https://server/pwa/_vti_bin/PSI/Security.asmx

This meant that there was some mistake with the SharePoint permission mode and TFS integration.
But for a temporary fix we tried to switch the permissions mode to ProjectServer and things started working like a charm.

Switching permissions mode can be completed by using a single SharePoint command-let

Set-SPProjectPermissionMode [-Url] <Uri> [-Mode] <SharePoint | ProjectServer | UninitializedSharePoint | UninitializedProjectServer> [[-AdministratorAccount] <String>] [-AssignmentCollection <SPAssignmentCollection>]

But this would reset the permissions within project server to default state and the users may lose permissions that they hold and should be done after a careful consideration.
In this case the customer could run the switch command.

Alternatively we could have made all the needed users site collection admin, if we had to keep the permission mode as SharePoint.

 

Content Created By: Venkata Narasimhan A
Content Reviewed By: Romit Gulati