Recently at MS Project Now we ran into strange issue in one of our environments with Active Directory Synchronization. Below are the issue scenarios and respective results.
Scenario 1 : Server Settings >> Manage Group >> Click on one of the Project Server Security Group >> Enter the AD security group >> Save
Result: As soon as you click on save, page gets redirected back to Manage Groups page and for newly edited group the AD group name is empty. So it actually doesn’t save the AD group added. In some cases you might also see error “Unknown error has occurred” when you click on Save.
Scenario 2: Server Settings >> Manage Group >> Edit one of the Project Server Security Groups for which you already have the AD group set
Result: You get Blank Name for Project Security Group and AD Security Group. You wont be able make any changes to the security group as save operation will return the error due to blank group names.
Scenario 3: Server Settings >> Active Directory Resource Pool Synchronization
Result : Error “Sorry, something went wrong”.
Scenario 4: Server Settings >> Active Directory Resource Pool Synchronization >> Enter the AD group name and click on Save
Result: Nothing Happens, no page refresh or redirection. Ad sync doesn't get initiated.
In ULS log you will see below error message
==================================
Medium Error is: GeneralUnhandledException. Details: General Unhandled Exception in _Admin.ResolveActiveDirectoryGroups_ Attributes: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary. at Microsoft.Office.Project.Server.ClaimsHelper.GetFormsAuthenticationProviderName(Uri context, SPUrlZone zone) at
==================================
Resolution:
1) Make sure "Authenticated Users" has "read" permissions on all SharePoint Service accounts. In my case it was missing for service app pool account.
Steps: AD console > edit the AD service account object > Security tab > Select "Authenticated Users" > ensure "Read" permissions are enabled
2) Make sure the PWA url you are accessing is Alternate Access Mapping default zone. For me it was in custom zone and it started working as soon as I added the URL in default zone under Alternate Access Mapping.