Common Error: “Unable to access this sensitive property” (8gaol) logged in ULS after installing June 2021 CU or later

- - 16 Comments

After installing June 2021 CU for SharePoint 2013, 2016 or 2019 you might notice that (e.g.) custom navigation stops working and 8gaol entries are logged in ULS log:

June or July 2021 CU:

w3wp.exe (0xXXXX) SharePoint Foundation General 8gaol Unexpected Unable to access this sensitive property : <sensitive property name> from outer assembly.

August 2021 CU or later:

w3wp.exe (0xXXXX) SharePoint Foundation General 8gaol Unexpected Unable to access this sensitive property : <sensitive property name> from outer untrusted assembly : <3rd party assembly full name>. Trusted assembly list: <assembly list for accessing sensitive properties>

This behavior was introduced by a security fix which prevents untrusted assemblies from accessing sensitive properties exposed by different SharePoint classes.

Solution

With August 2021 CU for SharePoint functionality was added to enable trusted custom assemblies accessing these sensitive properties by through a web.config modification:

After installing August 2021 CU add a new AllowAccessSensitivePropertiesAssemblies section under the SharePoint SafeMode node in the Web.config file:

<SharePoint>
<SafeMode>
<AllowAccessSensitivePropertiesAssemblies>
</AllowAccessSensitivePropertiesAssemblies>

</SafeMode>

</SharePoint>

For each third-party assembly that needs to be enabled, add an entry that has an assembly full name in the AllowAccessSensitivePropertiesAssemblies section:

<SharePoint>
<SafeMode>
<AllowAccessSensitivePropertiesAssemblies>
<AllowAccessSensitivePropertiesAssembly
Assembly="XXX, Version=XXX, Culture=XXX, PublicKeyToken=XXXX" />
</AllowAccessSensitivePropertiesAssemblies>


</SafeMode>

</SharePoint>

More details:

  • KB 5004581 – User code might be blocked when third-party assemblies access sensitive properties

16 Comments


  1. Hello there,
    can anybody tell me what is behind term “custom navigation”? In our enterprise farm (based on SP16 on-prem) we have applied custom left navigation to achieve some branding – it is applied as design package (one wsp file) imported to site through its settings. I am now quite in doubts to patch my farm with latest CUs because this “issue” which I don´t know if it is even concerning our environment or not.
    Thanx to anyone willing to explain this or guiding me for providing some other informations to clarify my situation.

    Reply

    1. Hi Ladislav,

      custom navigation means that you have written a custom assembly which directly accesses sensitive properties from the navigation provider. If you are not sure if this applies to your custom navigation I would suggest to test this in a test environment.

      Be aware that Microsoft support recommends: Always evaluate SharePoint fixes in a test environment before applying in production against all business cirtical functions to ensure that there are not negative side effects affecting this business critical functionality.

      Cheers,
      Stefan

      Reply

  2. @Stefan, I also have a ticket open with Microsoft support for a different error I’m seeing in Search Analytics. The engineer confirmed it is a bug in the June 2021 CU.

    The error occurs every 10 minutes, when the job “Usage Analytics Timer Job for Search Application Search Service Application” runs, and throws the error ” type Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”

    The job also keeps track of how many hours it has been since a successful run; I’m up in the thousands now.

    I can confirm that these errors began the same day I installed the June 2021 CU. The ticket has been escalated to the Product Team and I am waiting to hear back from them.

    Reply

    2. Hi Greg,
      yes – this is a known issue which was introduced with May CU.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan, Is the above mentioned issue with Usage Analytics job happening for all SP versions or Specific to one ?

        Reply

        1. I can’t speak to the other versions, but we are running SharePoint Server 2016 Enterprise.

          Reply

  3. Hi Stefan , Is the Usage Analytics job issue has been addressed in the August CU ? If not, what’s the ETA on that ?

    Reply

    1. Hi Karthik, it is not included. If you would like to get notified when it is available, please open a support case with Microsoft.

      Reply

      1. Update on the Usage Analytics issue:
        “Usage Analytics Timer Job for Search Application Search Service Application” runs, and throws the error ” type Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”

        Events: 93s8z, afxw4

        I opened a ticket with MS Support, and they said this was due to the fact that my Search Service App (and AnalyticsReporting database) had been migrated from SharePoint 2013. The database’s TenantInfo table contains config information that refers to the 2013 version of SharePoint. The patch team had not considered this scenario, so one of the security changes now considers this “type” to be invalid. The support engineer gave me a fix (which worked) but said it would make my farm unsupported because it was a direct modification to the AnalyticsReporting database. They said if I wanted to try this in production, I should open a separate ticket with MS support to request that my config be supported.

        I won’t share that fix here because they also warned that this is not a one-size-fits-all fix, and it might break things in a differently configured farm. If you’re experiencing the same issue, I recommend you open your own ticket with MS.

        They plan to fix this issue in an upcoming patch (but they would not estimate when that will be).

        Reply

        1. Hi Greg, thanks for not sharing the details. 🙂

          Reply

  4. Hi Stefan,

    I would like to kindly ask you if you have any information about the issue with the “Usage Analytics Timer Job for Search Application Search Service Application” timer job that fails when you try to start it with the following error:
    Exception calling “StartAnalysis” with “0” argument(s):

    “SafeSerialization[Context=DeserializeAnalyticsEventTypeDefinitionCollection]: type
    Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”

    As far as I understood from the comments section, it was identified as a known issue so far, but do we know if it was fixed in one of the recent released CUs?

    Thank you in advance for your input on the matter.

    Reply

    1. Hi Svilen,

      the fix for this issue was released in November 2021 CU.

      Cheers,
      Stefan

      Reply

      1. Hi Stefan,

        Thank you for your prompt reply.

        Best regards,
        Svilen

        Reply

  5. Hello Stefan,

    I believe this issue was expected to be fixed in November 2021 CU, however no such CU exists in Microsoft SharePoint updates page. Also does this solve the issue if user has migrated from SP2013 to SP2016

    Reply

    1. Hi Osama,
      November 2021 CU fixed the issue about the following message – it does not revert the new security requirements mentioned in this blog post.
      “SafeSerialization[Context=DeserializeAnalyticsEventTypeDefinitionCollection]: type
      Microsoft.Office.Server.Search.Analytics.AnalyticsEventTypeDefinitionCollection not allowed.”
      Cheers,
      Stefan

      Reply

Leave a Reply to Greg BurnsCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.