Monday, February 4, 2008

Troubleshooting Access denied errors in SharePoint 2007

The other day we deployed a MOSS instance and and almost no one could log in! Site Collection Administrators were the only users who could log in to the site. All other users, even those who supposedly had Full Control were given the user terrifying Access Denied page. The most difficult part of troubleshooting this kind of error was trying to figure out where to start. The resolution was that we had stripped all permissions from the Master Page Gallery. Because of this no users (except Site Collection Administrators) could pull a Master Page. Here's how we figured it out.

SharePoint Access Denied

In the event log was the following exception which was pretty misleading. We thought there was some kind of exception being thrown, but after we stripped out all of our code we were still getting the Unhandled Access Exception.

Event code: 4011
Event message: An unhandled access exception has occurred.
Event time: 2/4/2008 9:37:53 PM
Event time (UTC): 2/5/2008 5:37:53 AM
Event ID: 32497872094d45978925a82fd98ceb48
Event sequence: 149
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/14371080/Root-1-128466631227046864
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path: C:\Inetpub\wwwroot\wss\VirtualDirectories\80\
Machine name: W2K3-TYLER-VIRT
Process information:
Process ID: 2880
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://w2k3-tyler-virt/Pages/Default.aspx
Request path: /Pages/APHOME.aspx
User host address: 192.168.1.204
User: W2K3-TYLER-VIRT\TestUser
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Steps to Troubleshoot

  • First make sure the user should be able to log in. Have you added a group that gives the required users access (ie. an NT Authority\authenticated or a Domain\Users group)? Can users gain access as a Site Collection Administrator but not as full control? Are there any security policy settings set for the web application? Essentially make sure you haven't overlooked something.
  • Secondly, make sure you have a good MOSS/WSS install. If you having any glaring errors in your event log you should probably clean those up first. Troubleshoots get increasingly difficult when there's a lot of noise in the event log.
  • If you're trying to add/visit a page and are getting an Access Denied, ensure that the user has at least read rights to all the assets related to the page. This includes Master Pages, Style Sheets, Page Layouts, the Page/List Item itself and any other related assets.
  • Lastly I'd look at the Access Denied URL, if you simply get a:
http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl]

Then there's not really a lot to troubleshoot, you most likely have a configuration error. It's when the URL is of the form:

http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl] &Type=list&name=%7B12151589%2D7A0B%2D40EE%2DBD92%2DADB851B3D78E%7D

then you have something interesting to troubleshoot. Surprisingly enough SharePoint is telling us that we're trying to access a list and it's telling us to hit the road. The Name parameter is really a html encoded GUID...still don't believe me? What if I went ahead and html decoded it for you (I use this utility for that kind of stuff). Now it looks like:

http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl] &Type=list&name={12151589-7A0B-40EE-BD92-ADB851B3D78E}

Essentially we're looking for a list with the List ID of {12151589-7A0B-40EE-BD92-ADB851B3D78E}. It's time to play that age old game...FIND THE GUID!Now there's more than one way of tracking this list down. You can:

  • Write some SQL against the content database in question, this one is quick if you're familiar doing that kind of stuff but for most people this would be trouble.
  • Another option a little monotonous, it requires going into the list settings of each list in the site. You'll get a URL that will look like:
http://[ServerName]/_layouts/ListEdit.aspx?List={12151589-7a0b-40ee-bd92- adb851b3d78e}&Source=%2F%5Flayouts%2Fsitemanager%2Easpx%3FSmtContext% 3DArea%3A%3FSPWeb%3A0b1deb27%2Da646%2D4786%2Da29d%2D374b34449793%3A% 26SmtContextExpanded%3DTrue%26Filter%3D1%26pgsz%3D100%26vrmode%3DFalse

See our GUID above? Once you see the GUID in the List Settings of the list you know you've found the list in question.

  • The last that I recommend is using if you have access to the machine that SharePoint is running on is to install the SharePoint Explorer, a free tool provided by Ontolica. You can use this tool to go track down the list in question (below).

Finding a List ID GUID using SharePoint Explorer

Once you've found the list in question make sure that users can access this list. You do this by going in to the List Settings->Permissions for this List/Document Library and add permissions for at least Read.

That's it folks, hope she helps. You can also use the URL of an Access Denied page to troubleshoot access rights to List Items, but that's for another day.

My Best,
Tyler

41 comments:

Mark said...

Thanks... helped me big time!

Matt said...

Excellent article, thanks very much it helped greatly.

My users were getting access denied errors just as you described. I tracked it down to the master page gallery and noticed that the layout page being used had an Approval Status of Draft. I approved the page and all is well.

Dave said...

Thanks for this post, just saved me this morning!

Anonymous said...

We had a similar issue with a custom build site. Users were getting access denied on the main page, but could browse the rest of the site. As soon as we added the user to site owners group they could see the page...

The developer had a dynamic menu that was different depending of a user is a site owner or not...

We fixed the problem by letting user view the membership of the "Site Owners" group. The web part was trying to see if the user that was accesing the site is a site owner, and since the user did not have rights to see who is in that group we got the access denied. It's the second time i bump into this issue - and the second time I end up spending a week troubleshooting this. Hopefully this will help somebody else.

Harees Seni said...

Excellent Article....It save a day for me

Anonymous said...

Further value:
1. creating a hilvl group on site collection level for instance, with full control, will indeed not give master gallery permissions.

2. For finding the list, there is magic:
http://aravindrises.blogspot.com/2008/08/caml-view-of-splist.html
the point is, http://server/_vti_bin/owssvr.dll?Cmd=ExportList&List={GUIDGUIDGUIDGUID}
will give you the list def onscreen.
Fast, easy. I love it.

samantha said...

Thanks! You just saved me hours. One of my master pages was pending approval.

Anonymous said...

I had to put users in the Approvers group to get around this problem. I have web parts that load documents in that were causing the problem. There may be another group that is more appropriate, but this one worked for me. The users needed rights to see the contents of the files.

Arash Aghajani said...

great post.you save my time...
Thank you.

Anonymous said...

Great article. Do you know how to customize the "Go Back to site" link to point to something else.

Thanks.

T-Fire said...

Tariq Mardawi Said:>> I ran into the same problem, but when I have checked-in all the checked-out files (Masterpage, Page layout and cascade style sheet file) as a result it works file

Marlin7 said...

Tyler, how is it that NT Authority\Authenticated users should be Site Collection Admins?

Tyler Holmes said...

Hey Marlin7,

That english could have been worded a bit better (I've updated it). What that should have said is that you should check the obvious things (like if the users actually in a group that has access) and try to figure out if no one has access (not even site collection administrators) or if it's just select users.

Thanks for the comment.

Best,
Tyler

sqlbaba said...

The following link is an excellent resource too.

http://www.simple-talk.com/dotnet/windows-forms/configuring-forms-authentication-in-sharepoint-2007/

Anonymous said...

Here is a SIMPLE problem that causes the same symptom: Central Admin, Application Management, Site Collection Quotas and Locks. If a site is set for "read only" access, it can generate the same "Access Denied" errors you describe. We had a problem that a backup process set a site to "Read only" and then failed without setting it back to "unlocked".

Anonymous said...

Tyler, YOU ROCK. Just saved my bacon! Same as Matt my problem was in the Master page gallery.

Anonymous said...

I have an issue wherein I receive an Access denied error everytime I try to open a List item in Display Form even if I am a Site Collection Admin. I hope someone can help me...

Andre Galitsky said...

Thanks Tyler, your post helped me solve a similar problem.

I was able to find the list in question by pasting the GUID into the URL:

http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl] &Type=list&name={12151589-7A0B-40EE-BD92-ADB851B3D78E}

In my case, it turned out to be the Master Page library which had incorrect permissions...

r. said...

Had the same issue, I resolved it by going to Site Actions -> Site Settings -> Modify All Site Settings. Select the option Page layouts and site templates and then select the option to Reset all subsites to inherit these preferred subsite template settings for both subsites and page layouts. This is sort of related to the publishing the default master page; an obvious permission issue.

Ashit said...

Super article brother..
It helps me a lot to figure out where to look what

c6502 said...

You Rock!!! You totally saved me from installing a hotfix that would have probably broken everything!!!

Anonymous said...

So what about access errors for anonymous users who want to export items from a calendar? They can view the calendar just fine anonymously, but when clicking on the link to "Export Event" they get prompted with a login box.

Any thoughts there?

- Def

Tyler Holmes said...

Hey Def,

Because you're really trying to access a SharePoint web service (note the _vti_bin in the url) your use case is quite different.

The Export Event url looks something like:
http://[webAppUrl]/_vti_bin/owssvr.dll?CS=109&Cmd=Display&List={5123cd13-0037-4e90-9555-2f18bc4a4806}&CacheControl=1&ID=1&Using=event.ics

Last time I checked, pulling data from a Sharepoint web service without authenticating wasn't do-able. Hopefully someone here will contradict me, but either way here's a related discussion.

Please read in entire, the real value is in the comments:
http://stackoverflow.com/questions/1261012/accessing-sharepoint-web-services-without-authentication

Anonymous said...

Tyler,
Thanks for the insight. Given the fact that the calender is exposed for all to see on an anonymous site, I would have thought that the default RSS feed for a calendar would have allowed for anonymous useage of the embedded links for exporting the individual items (why would it provide a link for someone who couldnt use it? Shouldn't permission trimming take care of this?).

At any rate, to get around this I wrote a custom "iCal" web service that I have running alongside a separate custom-created RSS feed for the calendar. The custom feed includes a link for exporting the events that doesn't require authentication.

Thanks again for the help - I'll have to add this to my list of "working-as-intended" features of SharePoint that dont really work in practice.

- Def

Anonymous said...

Thanks you saved my time.....

dsouza said...

I spent an entire hrs together for a way to use the AllWebs without throwing that error. Elevated permissions with impersonation of the current user refused to work unless the current user is a site collection owner. I just wanted to thank you for posting this finding.

kültür mantarı said...

We had also a Quotas and Locks issue like anonymous said.

Change Lock status for this site:
to No Lock and site start working.

Thanks anonymous ..

Skovbo Karate Klub said...

I had the same problem. This helped me allot THANKS! ;-)

Anonymous said...

First, clear any errors in Event Viewer pertaining to SharePoint. Then, login to http://yourmachine/sites/DefaultCollection using the services/Primary admin for sharepoint. (not Administrator).
Then, set your Site Collections administrators there, you can also set Individual user permissions for each site from there.
This worked for me.

Etherknight said...

So glad I found this blog! We migrated our whole site and could not change anything! Though the method explained did not apply in my case, one of the comments was the key: The whole was auto-locked after the move. We went into the CA, set it back to 'not locked' and BAM! everything is fine. Thanks 'anonymous'!

Anonymous said...

THANK YOU, helped me solve a problem for a client who accidently deleted some of the standard sharepoint groups. Suddenly they couldn't create any new pages in the page library because of the missing master page user rights.

aMmAr said...

I am facing this odd problem where the page works just fine for certain users and some days they complain that they are facing the said access denied problem.

Access Denied URL constitutes of the following elements:
http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl]

Now apparently its a configuration problem but users who are getting this error have nearly Full Control on this page. What other related files should I check? FYI:

1. Master Page: Not associated with the effected page

2. CSS: defined on the same page

Bandi said...

My breakthrough was: Under central administration, security, users, specify web application user policy, I added Domain users with read access

Anonymous said...

Great post, saved my life. Thanks.

Ivan said...

Hi, guys.
Could anyone help me? I have the next url while getting "Access Denied" error : http://[ServerName]/_layouts/AccessDenied.aspx?Source=[AnyUrl]. I'm using Sharepoint 2010 with custom membership provider and membership works fine because I have no problem adding users to the site collection administrators. But I can't log in. Tyler wrote that there's most likely a configuration error. What type of configuration error can it be? Thanks in advance.

Anonymous said...

Great post, thanks a lot.. although my issue was for a different reason (service account was incorrect for app pool), learn new things from your post.
Thanks,
Shiv

Anonymous said...

Thank you so much for your post!!! You got me on the right track to solve my plan!! I had a major panic attack as I locked all my client's users out of SharePoint after I edited Permissions at the root site level.

In my case, I had to go to
/SitePages/Forms/AllPages.aspx, and add my Active Directory Security group where my users are back into the permissions on this. When I edited the root permissions, it only left "Site Owners" with Full Control and nothing else.

You definitely got me on the right track and saved me a night staying up to resolve this!

Marcela Berri said...

Excelente!!!! me salvaste!!!

djbprogrammer said...

Thank you. It was the SharePoint 2010 Site Directory web Part from Code Plex that was causing the access denied error message. Once I removed that from the default page, all was well. Thanks again!

Anonymous said...

Thanks, this help me to solve my issue

Accidentally deleted access permissions on root site but had user access to the other sub sites with custom permissions.

http://xxxx/Pages/Forms/Default.aspx

grant access to the above location and fixed the access issue on the root site.

Anonymous said...

I have an interesting one for you:

I recently was tasked with changing the passwords on our MOSS 2007 service accounts due to a systems manager quitting the company. I followed the steps to use the STSADM tool, but once the password was changed I can no longer access our site via an AAM. We can access it via server:port but not via the AAM's URL. Also, when someone sends an approval workflow through, it works all the way to the point of the Approver clicking the approval button but then throws an Access Denied error. (The workflow tries to access the Tasks list through the AMM). I did your steps above and found that the appropriate permissions are in place. I even granted Authenticated Users read access just for good measure. Any ideas?