I have an Error HTTP 500 on my newest created collection site. "http://sp-dev-2013:20000/site/Test" with the administrator sp13_Admin
I've checked IIS application pool and all my Applications pool are up and started including SecurityTokenServiceApplicationPool and change the "identity field" with a sp13_farm. I did an iisreset command just in case but, it still doesn't work.
I've impersonated my AppPool Account sp13_AppPool in Local Security Policy and it still doesn't work.
Related
I am developing a workflow using Project Server 2013 and sharepoint designer.
Everything works fine until I try to set the value of a project field. When I do I get a 401 error (before I'd got a 403 error but solved it granting elevated permissions).
I've tried everything (or I think I did):
configuring the stages (requiring check-in)
configuring the custom fields (field not controlled by workflow)
configuring the site collection features (grant workflows app permissions)
But nothing seems to work, I always get:
System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["26"],"SPRequestGuid":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"request-id":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"X-FRAME-OPTIONS":
Any help would be greatly appreciated
The problem was that the admin account running the workflow did not have permissions to access some user groups.
By granting that all user could access to see the members of every group both problems were solved and elevated permissions weren't necessary anymore.
Hope this helps anyone.
I am trying to get automated deployment from TeamCity working for one of our new API endpoints. I have everything set up correctly, including the final step where TeamCity calls MSDeploy to send the package over to our server (we're talking our Integration / test server here).
Everything was working fine but, when creating the new site in IIS, we had borrowed a service user from another website for the app pool to run as.
When we created a new domain user and switched the app pool over our deployments started failing. The error MSDeploy gives is:
Error: (30/10/2014 15:00:56) An error occurred when the request was processed on the remote computer.
[15:00:56][Step 1/1] Error: The account 'XXX' does not appear to be valid. The account was obtained from this location: 'system.applicationHost/applicationPools/******.com'.
[15:00:56][Step 1/1] Error: Some or all identity references could not be translated.
[15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
[15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(Type targetType)
[15:00:56][Step 1/1] at Microsoft.Web.Deployment.Impersonator.GetNTAccount(String userName, String source)
Where XXX is the new domain user we created. Let's call the old domain user that we borrowed 'YYY'. We are using a third account, 'ZZZ' to connect with web deploy. So, everything was fine with the app pool running as YYY, but when we switched to XXX this error occurs.
We have looked and looked, but we can't find any differences between XXX and YYY. They're both in the same AD groups and both seem to have the same permissions on the server. Logging in to the server through RDP using account XXX allows us to open the IIS GUI and browse / administer the sites.
I've been unable to find many other sites talking about this problem, but it's got us completely stumped.
FYI, we have already restarted the web server in question, to see if that helped. It didn't.
The error being returned here is just a general authentication failure error. In this particular scenario the authentication failure was being caused by a discrepancy between the User Principle Name and the SAM Account name of the user the application pool was running as.
See the following question for an explanation of which name is used when authenticating an Active Directory user - https://serverfault.com/questions/371150/any-difference-between-domain-username-and-usernamedomain-local
In our particular example, the active directory user name of the application pool was longer than 20 characters. The SAM account name has a 20 character limit which means all characters over 20 were not included.
As explained in the linked answer, the format you use when specifying the domain and user name will determine which version of the name is used for authentication. Therefore with an example user name of "username_longer_than_20_characters" the following formats would work:
domain\username_longer_than - authenticates using SAM account name
or
username_longer_than_20_characters#domain - authenticates using User Principle name
The answer in the linked post also explains how to check the SAM account name for an Active Directory user.
My issue is two-fold:
Need a user account to write to inetpub/wwwroot that isn't in the IIS_WPG Group
Change the DefaultAppPool account to specified user account in #1
We cannot have anonymous HTTP writing to Server A from Server B from the default anon user account Windows reads from, hence for #2. And due to said server permissions, we cannot have Group IIS_WPG do any writing to inetpub/wwwroot either.
I created a new user account, but it isn't associated to any groups. Then, I added this user to the DefaultAppPool Identity instead of using Network Service. Then, under Inetpub/wwwroot I gave read/write permissions to this user account. Then I restart w3svc.
I am getting a Service Unavailable error now when I try to view any web page with this error in the logs: A failure was encountered while launching the process serving application pool 'DefaultAppPool'. The application pool has been disabled.
Note: I am not a Windows admin by any means, so what I'm doing is based off of any articles I can find and trusting their accuracy 100%.
The whole point of the IIS_WPG group is to have a pre-set grouping of the permissions required to run an application pool. So the best case is going to be creating your new user but then just adding that user to the IIS_WPG group.
If you can't do that, then I believe you have to explicitly give your new user the same permission set that IIS_WPG has already. Which can be found here: http://support.microsoft.com/kb/812614
I have a problem with the sharepoint server, I added 2 new domain users and they cannot access the sharepoint site ,they're getting the 'Access Denied' msg,although all users are given permissions to access the main website by default as soon as they're added to the domain
Any suggestions ?? or settings that i can check?
Thank you in advance
First of all, check that they have a clean IE cache, have restarted their browser etc.
Check that they don't have an incorrect stored user name and password against the site host name on their Windows profile.
Ensure that the permissions on the site in question haven't been amended without your knowledge.
Ensure that they are in the correct AD group (if necessary)
Have a look at the IIS logs and ensure that their credentials are being passed in. (Search for their username). If they are not, you'll need to ensure that the SharePoint site is in the correct zone on their browser to get credentials passed in. (Trusted sites?)
Have a look in the Windows Event Logs and ULS logs when they try to hit the site to see if anything unexpected is happening
Ensure that you don't have any Web Application policies set up (go to Central Admin -> Application Management --> Policy for web application) which would deny these specific users access.
Ensure that the user account directory path, and people picker settings for the site are not stopping them from getting access:
stsadm -o getsiteuseraccountdirectorypath -url <site url>
stsadm -o getproperty -pn peoplepicker-seachadcustomfilter -url <site url>
Sharepoint caches the domain user credentials, new users may not be available right away. Try checking the synchronization messages in "Central Administration" -> "Application Management" -> "Manage service applications" -> "User Profile service application" and maybe force a new synchronization.
You must set permissions for newly added domain user in sharepoint. Add it to a group that has permissions to read your root site. See permissions at url: http://server/_layouts/user.aspx
I've got a SharePoint website running on my machine (which it shows me inside the Application Pool in the Inet Manager).
Now this website has a different user credentials specified under the Identity section (properties). Also when I view the w3wp.exe in the task manager it shows that the site is running as a different user.
The problem is that if I change the username and password of the existing user with mine, the site stops working.
How do I run it under my account credentials.
Please help. Thanks
If you want to change the account that runs the SharePoint application pool, you must make sure that the new account has the same permissions as the current one. That includes the correct database permissions. Otherwise the SharePoint Web Application stops working.
The behavior you are describing is normal. Whatever account you use to login to your SharePoint site, the application pool will still be using the account assigned to it.
Regards,
M