jmicorp
asked on
Sharepoint MOSS 2007 issue with single user receiving 403 error
We've got a few sharepoint farms in our company, a single prod unit, and multiple test and staging environments. our staging server is giving us trouble with a single test account that we can't seem to shake out. The user simply cannot log in to sharepoint. They are a simple domain user with minimal domain rights, but standard user level access in sharepoint. We've been down the path of trying to work with services permissions to fix this issue -- but as a sharepoint user, what local service permissions should this user even have? authenticated users in general should have only the slightest control over services, right?
This failure message is sporadic and unpredictable. It may have even completely gone away with my efforts to make more relaxed permissions on MSDTC. At the end of the day, that one individual user is still given SIMPLE 403 FORBIDDEN errors from IIS upon logging in. Strangely enough, it takes 3 login attempts to generate this message. Any ideas?
This failure message is sporadic and unpredictable. It may have even completely gone away with my efforts to make more relaxed permissions on MSDTC. At the end of the day, that one individual user is still given SIMPLE 403 FORBIDDEN errors from IIS upon logging in. Strangely enough, it takes 3 login attempts to generate this message. Any ideas?
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/6/2009
Time: 2:55:20 PM
User: domain\SP_CBP_Test_00749
Computer: somecomputer
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: WinHttpAutoProxySvc
Handle ID: -
Operation ID: {0,475837461}
Process ID: 432
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: somecomputernameSTAGING$
Primary Domain: somedomain
Primary Logon ID: (0x0,0x3E7)
Client User Name: SP_CBP_Test_00749
Client Domain: ALS
Client Logon ID: (0x0,0x1C5CACEA)
Accesses: Query status of service
Start the service
Query information from service
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x94
Just to clarify, there is no clear correlation between the failed login and the 560 event, correct?
ASKER
there was prior to setting relaxed permissions for AU on MSDTC service.
To answer your question, the user accessing the site need have no permissions whatsoever on local services on the sharepoint server. If you can post any relevant ULS entries that would be a good place to start.
ASKER
working on that.
in the meantime, clue:
we have several site collections on this staging box. From this point forward, i'll refer to the site collection that initially prompted this issue as SC1. other site collections, SC2-5, seem to work just fine! How about that?
in the meantime, clue:
we have several site collections on this staging box. From this point forward, i'll refer to the site collection that initially prompted this issue as SC1. other site collections, SC2-5, seem to work just fine! How about that?
OK that's useful, so we can rule out a problem with IIS per se, SharePoint permissions per se and the user's profile in AD and SharePoint.
The ULS logs are the next step, so whenever you're able.
The ULS logs are the next step, so whenever you're able.
ASKER
sorry, got wrapped up. I've got ULS logviewer from codeplex installed now. What category do you need me to pull from?
Any warning, exception or otherwise relevant entries that appear at the moment the user tries to log in
ASKER
I'm sorry that I need a little hand holding in this regard. When i use ULS, i need to specify a file, a category, and a severity.
Not sure what you're referring to, are you using a tool to read the ULS logs? You can just go right in and open the file in notepad, and then copy the chunk of entries around the time of the failure.
Have you checked the behavior when you access the site as http://<portalname>/default.aspx instead of http://<portalname>, if you are able to access the site, then simply go to change the App pool and see the behavior.
You can check the permission of the bin folder in the IIS virtual site and ensure the users group has Read/Execute permission along with List folder
Also check the following KB for reference.
http://support.microsoft.com/kb/822786
http://support.microsoft.com/kb/841001
You can check the permission of the bin folder in the IIS virtual site and ensure the users group has Read/Execute permission along with List folder
Also check the following KB for reference.
http://support.microsoft.com/kb/822786
http://support.microsoft.com/kb/841001
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there anything in the ULS logs around the time of the failed login?