Solved

Access Denied for Sharepoint Owner/Administrator access Sharepoint 2010 controls

Posted on 2011-03-21
31
1,763 Views
Last Modified: 2012-05-11
I've got a single server install of Sharepoint 2010 enterprise with SQL 2008 both installed.  The site has been running fine until I got a complaint from one of my SP managers that she was getting Access Denied errors when she tried to upload a document, then I got another one.  At this time I tried it myself and I've got the same problem.  BTW we can use explorer view and upload documents without any issues. After continuing to troubleshoot, I found additional links that are also broken.  They are:

1.  The help button also give me the same error

2.  On the site, Site Collection, Site Collection Administration, Search Keywords, give me the access denied error.

3.  In Central Admin, Security, configured managed accounts, I get the following message:

The given key was not present in the dictionary.

Troubleshoot issues with Microsoft SharePoint Foundation.

Correlation ID: 78454743-6409-4d79-9a30-942f7e62e908

Attached is a much cleaned up log file.  It contains the error messages when received as I tried to utilize the above controls. This log was taken with logging set to verbose.
 
This issue was posted at the following link, but no one wants to take it on.

http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/4c054f0e-3031-463d-aed2-57eb7c9e6b76



SP2010Log.doc
0
Comment
Question by:Gary_awt
  • 19
  • 12
31 Comments
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35181269
Gary,

Thanks for sharing the log, it helps with the debug.

I would start by running the SharePoint technology wizard on your farm first
this will set all needed security settings at file level.

This may be a simple security issue.
Then we can start debugging afterwards.

If that does not fix it we might need more informtion about any custom master pages you may have set on those site.

Best of Luck


0
 

Author Comment

by:Gary_awt
ID: 35182392
George, by Sharepoint Technology Wizard, do you mean the Sharepoint Products Configuration Wizard?  I did run than and unfortunately did not help the problem.  If that is not what you wanted me to run, then you must forgive my lack of 2010 knowledge and tell me how to run the wizard.
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35182448
that was it..

Under you application services , do you have a UserProfile proxy service

if that is not set , make sure you have the application is served by that proxy if you have one.
0
 

Author Comment

by:Gary_awt
ID: 35183354
I have both User Profile Service Application and User Profile Ervice application Proxy Stated.  FYI in troubleshooting this I had to install the User Profile Service but was not able to get User Profile Synchronization Service to start.  Does this help?  
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35183446
can you attempt to start it and get the error log (ULS error log )
0
 

Author Comment

by:Gary_awt
ID: 35189935
Ok I attempted to start the service this morning after I reboot the server, just to make sure everything was ok there.  Also I noticed that both the Forefront services keep going disabled. Attached is a ULS file filtered to show only lines with error in it.  I you want the complete log file just let me know.  I didn't want to hit you witl 55k lines of log.  BTW just delete the .txt and you can open the file in the ULS reader.
splog32211.ulsworkspace.txt
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35190057
does not look like a log file
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS\Diagnostics\SERVER11-20110322-0941.log
is the log,.
0
 

Author Comment

by:Gary_awt
ID: 35198875
George, take off the .txt suffix and use the ulsviewer.  EE would not let me upload the file without adding the .txt suffix.
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35198926
I understand

but the actual file is
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS\Diagnostics\SERVER11-20110322-0941.log

can you get that file.

you can can give it any name no problem , but we need to get the content of that file.
0
 

Author Comment

by:Gary_awt
ID: 35207975
Here you go George it is the complete unedited file, about 14mb.
SERVER11-20110322-0941.log
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35209035
Gary,

have you made any changes to the IIS application pool running that sharepoint application ?

I will get your more information later on today.
0
 

Author Comment

by:Gary_awt
ID: 35209144
Yes, about 4 weeks ago we had issues with sharepoint and user permissions on the application pools. All of the pools that were created quit authenticating.  I ended up changing the identity of those pools to networkservice and then giving that account permissions to SQL.  The other applications that I've created, search wanted to setup with SPfarmaccount.
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35209381
if you are using Claims authentication let me know .

if not

Check the application pool settings :
.NET Version is 2.0
Mode is Integrated.

You can use network service or an actual account  just give proper rights to the DB.


Best of luck
0
 

Author Comment

by:Gary_awt
ID: 35222532
Ok here are the Authentication Settings for the Web Application

Authentication Type:  Windows
Anonymous Access is not Enabled
IIS Authentication is Integrated Windows (NTLM)
Client Integration is Yes

Also, I did ensure that the network services account has proper rights to the db in SQL manager.
0
 

Author Comment

by:Gary_awt
ID: 35222542
Also Application pools Manage Pipeline Mode is Integrated on everything except Classic .Net AppPool, that is set to Classic
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 14

Accepted Solution

by:
GeorgeGergues earned 500 total points
ID: 35227408
Gary,

I have attached a copy of a std configuration of a 2010 application pool configuration ,
normally it is recommended that you use a separate account for the application pool than your Timer service but that is not enforced


Compare the settings maybe somthing will pop  up.

also make sure your application is only being served by that application pool alone.

thank you


Std2010-SP-AppPool.png
0
 

Author Comment

by:Gary_awt
ID: 35257854
George, I started questioning my comment about NT Authority\network service having proper permisisons in SQL.  Attached is a .pdf with 4 screen captures, the first showing the application pools, 2-4 are SQL Management Studio Captures showing the permissions for network service.  Let me know what you think...
Application-Pool-and-SQL-Info.pdf
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35258334
The normal rights would be for a Certain user ( not the network service ) is DBO on all the SP dbs.
except the Config db.

it is a security risk to have the network service account with elevated privileges.

My recommendation is to change / create a new application pool with a proper user name and give that user the proper security rights.

but if you want a fix for the immediate  problem , you can give network service account dbo rights on the DBs.
0
 

Author Comment

by:Gary_awt
ID: 35258736
Ok I will do that and let you know.
0
 

Author Comment

by:Gary_awt
ID: 35314287
George, I just wanted to let you know I'm still with you.  I just had some other issues pop up that required my attention.  FYI,  I've given the network service account dbo rights to all SP databases, but that hasn't solved the issue.  I wanted to reboot the server to give everything a fresh security image, just to be sure that the new credentials have been applied.
0
 

Author Comment

by:Gary_awt
ID: 35350807
George, this is where we stand.  I've got the "Given Key not Present" issue resolved.  I found a link that talked about adding read permissions to all of the Sharepoint accounts for the authenticated Users account.  I'm still stuck on the access denied issues associated with uploading files and help.  Where do we go from here?
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35351171
Reguular sharepoint accounts should not have direct access to any SharePoint database

only the SP Admin and the application pool accounts.


I still recommend that you use an actual account and not the network service account.

0
 

Author Comment

by:Gary_awt
ID: 35351941
That is my next step.  I want to normalize all of the application pools with defined user accounts.  Can you tell me, should  they have anything other than domain user permissions, for example local admin permissions.  Also should I give them dbo permissions to the databases? Also other than for best practices, and for simplicities sake, do you think it is ok to use a single account for all of the application pools? or would you give specific pools specific accounts.  
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35352132
This article adress this topic quite well

http://technet.microsoft.com/en-us/library/cc678863.aspx

it is the same 2010 and 2007
0
 

Author Comment

by:Gary_awt
ID: 35352437
I guess I have my reading for the weekend.  Developing procedures to change them also.  I'll let you know how things go next week.
0
 

Author Comment

by:Gary_awt
ID: 35366132
George, his is the user lineup that has been setup according to the document.

spFarmAcct: Domain User,  Local Admin account.  Was created at installation and settings are correct
spAdminAcct: Domain User, Local Admin account.  Created at installation and reset all permissions per the Account Permissions Document
spSQLSvcAcct: Domain User, Local Admin account,  Created at installation and verified setting.
spAppPoolAcc:  Domain User, Local Admin account,  Created at installation and I reset permissions per document
spFoundationacct:  Domain User, Local Admin account,  Created at installation and I reset permissions per document

Application Pools are as follows

1.  This pool has 4 Sharepoint Web Applications running on it with identity set to network Service
2.  This pool has 1 Sharepoint Web Applications running on it with identity set to network Service
3.  This pool has 1 Sharepoint Web Applications running on it with identity set to network Service
4.  This pool has 4 Sharepoint Web Applications running on it with identity set to spFarmAcct
5.  Classic .Net AppPool Pipeline is set to classic and identity set to network service
6. This pool has 1 Sharepoint Web Applications running on it with identity set to spSQLSvcAcct.
7.  Default App Pools identity is set to network service
8.  SecurityTokenServiceApplicationPool was set to spAppPoolAcc this morning.
9.  Sharepoint 777 (Company Intranet Site)  identity is set to network service
10. Sharepoint 80 identity set to network service
11. Sharepoint Central Administration identity is set to spFarmAcct
12. Sharepoint Web Services Root identity is set to network service.

Now my first thought is to set all of these app pools to either spAppPoolAcc account or spAdminAcct.  But I wanted you input on this before I make the changes.  FYI, the network service account has been configured the same as the spAppPoolAcc.

No moving forward to the service accounts in Central Admin they are as follows.

1. Farm Account... set to spFarmAcct
2. Claims to Windows Token Service was changed to spAppPoolAcc from local service today
3.  Both Document Conversion services account is set for local service
4.  Sandbox service is set for spFarmAcct
5  Sharepoint Foundation service account is set for spSQLSvcAcct
6.  Server Search service account is set for spFarmAcct
7.  SQL Service Analysis service account is set for spSQLSvcAcct
8   Both User Profile Sync. and Web Analytics service accounts set for spFarmAcct
9.  Both Web Application Pools, Sharepoint 777 and Sharepoint 80 are set for spFarmAcct
10. The SearchAdmin, SearchQuery, WebServices and Managed Metadata Service Application Pools have spFarmAcct Identities.
11  SecurityTokenService App Pool is set for spAppPoolAcc (done today)
12  Sharepoint User-Profiles App Pool is set for spSQLSvcAcct.


I really need guidance in the proper settings for application pools, windows services and the service accounts.
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35374656
not a problem

IF you do that in a controlled manner

Note the you will need to keep the same account running any sub folder ( web virtual folder / application )
like
/_Layouts and /Images /Inc  etc....


0
 

Author Comment

by:Gary_awt
ID: 35375530
Ok good for the Application Pools.  Do you have any guidance for configuring credentials on the service accounts in CA, or am I ok keeping those applcation pools configured in CA as spfarm?  My thought was to move them all over to the spAppPoolAcc account that I am using for the actual application pools in IIS.
0
 

Author Comment

by:Gary_awt
ID: 35383021
Made some head way George.  Migrated all of the IIS Application Pools over to the account spAppPoolAcc and the issue with the Add Document control is now fixed.  It;s strange but when I select the help button I've still got the same problem, Access Denied.   I finally got to restart the server this morning so everything has been recycled.  
0
 

Author Comment

by:Gary_awt
ID: 35383645
Good news George.  I tweaked the login permissions on a couple more services and not on did I get my help button working but got my crawl issues worked out.  I have 2 questions, first is help connected to search in someway? Second,  can I award more than 500 points for all of the work we done, because I think we can close this case.
0
 

Author Closing Comment

by:Gary_awt
ID: 35383826
George spent a lot of time with me working on this issue and guided me to the areas I needed to work with and I was able to take it from there.  Being my first time submitting a question I can only hope that all the experts perform as well as George.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Note:  There are two main ways to deploy InfoPath forms:  Server-side and directly through the SharePoint site.  Deploying a server-side InfoPath form means the form is approved by the Administrator, thus allowing greater functionality in the form. …
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now