After installing June 2021 CU for SharePoint 2013, 2016 or 2019 you might notice that (e.g.) custom navigation stops working and 8gaol entries are logged in ULS log:
June or July 2021 CU:
August 2021 CU or later:
This behavior was introduced by a security fix which prevents untrusted assemblies from accessing sensitive properties exposed by different SharePoint classes.
Solution
With August 2021 CU for SharePoint functionality was added to enable trusted custom assemblies accessing these sensitive properties by through a web.config modification:
After installing August 2021 CU add a new AllowAccessSensitivePropertiesAssemblies section under the SharePoint SafeMode node in the Web.config file:
<SafeMode>
<AllowAccessSensitivePropertiesAssemblies>
</AllowAccessSensitivePropertiesAssemblies>
…
</SafeMode>
…
</SharePoint>
For each third-party assembly that needs to be enabled, add an entry that has an assembly full name in the AllowAccessSensitivePropertiesAssemblies section:
<SafeMode>
<AllowAccessSensitivePropertiesAssemblies>
<AllowAccessSensitivePropertiesAssembly
Assembly="XXX, Version=XXX, Culture=XXX, PublicKeyToken=XXXX" />
</AllowAccessSensitivePropertiesAssemblies>
…
</SafeMode>
…
</SharePoint>
More details:
- KB 5004581 – User code might be blocked when third-party assemblies access sensitive properties
Permalink
Hello there,
can anybody tell me what is behind term “custom navigation”? In our enterprise farm (based on SP16 on-prem) we have applied custom left navigation to achieve some branding – it is applied as design package (one wsp file) imported to site through its settings. I am now quite in doubts to patch my farm with latest CUs because this “issue” which I don´t know if it is even concerning our environment or not.
Thanx to anyone willing to explain this or guiding me for providing some other informations to clarify my situation.
Permalink
Hi Ladislav,
custom navigation means that you have written a custom assembly which directly accesses sensitive properties from the navigation provider. If you are not sure if this applies to your custom navigation I would suggest to test this in a test environment.
Be aware that Microsoft support recommends: Always evaluate SharePoint fixes in a test environment before applying in production against all business cirtical functions to ensure that there are not negative side effects affecting this business critical functionality.
Cheers,
Stefan
Permalink
@Stefan, I also have a ticket open with Microsoft support for a different error I’m seeing in Search Analytics. The engineer confirmed it is a bug in the June 2021 CU.
The error occurs every 10 minutes, when the job “Usage Analytics Timer Job for Search Application Search Service Application” runs, and throws the error ” type Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”
The job also keeps track of how many hours it has been since a successful run; I’m up in the thousands now.
I can confirm that these errors began the same day I installed the June 2021 CU. The ticket has been escalated to the Product Team and I am waiting to hear back from them.
Permalink
Events: 93s8z, afxw4
Permalink
Hi Greg,
yes – this is a known issue which was introduced with May CU.
Cheers,
Stefan
Permalink
Hi Stefan, Is the above mentioned issue with Usage Analytics job happening for all SP versions or Specific to one ?
Permalink
I can’t speak to the other versions, but we are running SharePoint Server 2016 Enterprise.
Permalink
Hi Stefan , Is the Usage Analytics job issue has been addressed in the August CU ? If not, what’s the ETA on that ?
Permalink
Hi Karthik, it is not included. If you would like to get notified when it is available, please open a support case with Microsoft.
Permalink
Update on the Usage Analytics issue:
“Usage Analytics Timer Job for Search Application Search Service Application” runs, and throws the error ” type Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”
Events: 93s8z, afxw4
I opened a ticket with MS Support, and they said this was due to the fact that my Search Service App (and AnalyticsReporting database) had been migrated from SharePoint 2013. The database’s TenantInfo table contains config information that refers to the 2013 version of SharePoint. The patch team had not considered this scenario, so one of the security changes now considers this “type” to be invalid. The support engineer gave me a fix (which worked) but said it would make my farm unsupported because it was a direct modification to the AnalyticsReporting database. They said if I wanted to try this in production, I should open a separate ticket with MS support to request that my config be supported.
I won’t share that fix here because they also warned that this is not a one-size-fits-all fix, and it might break things in a differently configured farm. If you’re experiencing the same issue, I recommend you open your own ticket with MS.
They plan to fix this issue in an upcoming patch (but they would not estimate when that will be).
Permalink
Hi Greg, thanks for not sharing the details. 🙂
Permalink
Hi Stefan,
I would like to kindly ask you if you have any information about the issue with the “Usage Analytics Timer Job for Search Application Search Service Application” timer job that fails when you try to start it with the following error:
Exception calling “StartAnalysis” with “0” argument(s):
“SafeSerialization[Context=DeserializeAnalyticsEventTypeDefinitionCollection]: type
Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”
As far as I understood from the comments section, it was identified as a known issue so far, but do we know if it was fixed in one of the recent released CUs?
Thank you in advance for your input on the matter.
Permalink
Hi Svilen,
the fix for this issue was released in November 2021 CU.
Cheers,
Stefan
Permalink
Hi Stefan,
Thank you for your prompt reply.
Best regards,
Svilen
Permalink
Hello Stefan,
I believe this issue was expected to be fixed in November 2021 CU, however no such CU exists in Microsoft SharePoint updates page. Also does this solve the issue if user has migrated from SP2013 to SP2016
Permalink
Hi Osama,
November 2021 CU fixed the issue about the following message – it does not revert the new security requirements mentioned in this blog post.
“SafeSerialization[Context=DeserializeAnalyticsEventTypeDefinitionCollection]: type
Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”
Cheers,
Stefan
Permalink
No, unfortunately, it did not fix the issue!
I am pulling my hair out to solve this, I encountered this issue when my farm was migrated from 2013->2016->2019 in January of 2023. Everything is working on 2013 farm, this only breaks after migrating to 2016. To this day I have not solved this as there is ZERO information on how to do this (i have tried everything that I can find in google). Due to this Popularity and Search Reports are not working, only deleting and recreating SSA solves this, but this is not an option due to our custom farm solution
Permalink
Hi Arturs,
if you need assistance to get this investigated I would recommend to open a case with Microsoft Support.
Cheers,
Stefan