SharePoint / Unable to create new SharePoint Groups with the “SharePoint Directory Management Service”

Summary

After configuring SharePoint with Incoming email and the SharePoint Directory Management Service” to create Distribution Lists in Active Directory, you are unable to create new groups with the following error.

Sorry, something went wrong

The following error has occurred while attempting to contact the Directory Management Service: The request failed with HTTP status 401: Unauthorized.

Server-side error (ULS Logs):

Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.SharePoint.SPDistributionGroupException: The following error has occurred while attempting to contact the Directory Management Service: The request failed with HTTP status 401: Unauthorized. ---> System.Net.WebException: The request failed with HTTP status 401: Unauthorized.   
 at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)   
 at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)   
 at Microsoft.SharePoint.DirectorySoap.SPDirectoryManagementProxy.CreateDistributionGroup(String Alias, String Name, String Description, String ContactCN, RequestInfo Info, DistributionGroupFlags Flags)   
 at Microsoft.SharePoint.SPGroup.CreateDMS(String dlAlias, String friendlyName, String description, String[] members, String requestor, String justification, Int32& jobId)     -
-- End of inner exception stack trace ---   
 at Microsoft.SharePoint.SPGroup.WrapExceptionWithDMSException(Exception e)   
 at Microsoft.SharePoint.SPGroup.CreateDMS(String dlAlias, String friendlyName, String description, String[] members, String requestor, String justification, Int32& jobId)   
 at Microsoft.SharePoint.SPGroup.CreateDistributionGroup(String dlAlias)   
 at Microsoft.SharePoint.ApplicationPages.NewGroup.DoOperation()   
 at Microsoft.SharePoint.ApplicationPages.CBaseNewGroup.BtnOK_Click(Object sender, EventArgs e)   
 at System.Web.UI.WebControls.Button.OnClick(EventArgs e)   
 at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)   
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)   
 at System.Web.UI.Page.HandleError(Exception e)   
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)   
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)   
 at System.Web.UI.Page.ProcessRequest()   
 at System.Web.UI.Page.ProcessRequest(HttpContext context)   
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)   
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Cause

This issue normally occurs if the App Pool account that is running the Central Admin Site does not have access to the OU where the SharePoint Objects are being created in Active Directory.  However, even after verifying rights on the OU, the error persists.

This is actually failing because the customer may have a separate SharePoint  “Farm Account” and  “Service Account”. In this case, the Service Account does not have access to create DL’s in the Central Admin Site by default. 

 Since the “SharePoint Directory Management Service” executes via Central Admin, the App Pool account that is running the SharePoint Site will need full access to the Central Admin site collection.

Resolution

To resolve this issue elevate the app pool account running the SharePoint Site to a site collection admin in the Central Admin Site.

Steps 1: From Central Admin, go to Settings > “Site Settings”

Step 2: Go to “Site Collection Administrators”

Step 3:  Add the App Pool Account

Now creating Groups in SharePoint should successfully be created in Active Directory.

More Information

Configure incoming email for a SharePoint Server farm

https://docs.microsoft.com/en-us/sharepoint/administration/incoming-email-configuration

Leave a Reply