SharePoint is showing strange behavior that when I use my Custom login page which is using the credentials entered to get authenticated by my Custom Security Token service (Trusted Identity provider) for SharePoint. When my Identity provider sends a response to SharePoint, it redirects me to this URL
http://WebAppURL/_layouts/15/AccessDenied.aspx
Which should not appear because my identity provider has authenticated it, I was messing around with things and then while doing that I changed my URL from the above mentioned to
http://WebAppURL/ (Got rid of _layouts/15/AccessDenied.aspx)
It worked now whenever I log into my sharepoint webapp I first get this access denied page and then I have to change my URL, I get all the claims sent by my Identity provider.
Now If anyone out there can help me with this redirection issue? The realm I am giving while registering my IP-STS with SharePoint I append
http://webappURL/_trust/default.aspx
and also tried
http://webappURL/_trust as well but no success.
Any help or suggestion is appreciated. Thank you.
It turns out that permission to the site collection master page gallery had been removed. So even though the users had permissions to the master page gallery on the subsite, they were getting access denied errors on the subsite. We're not sure how the permissions on the site collection master page gallery were removed.
or see if this helps here.
In my case, I needed to update the permissions on the /_trust directory to include Everyone with Read permissions.
Related
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
I am developing a workflow using Project Server 2013 and sharepoint designer.
Everything works fine until I try to set the value of a project field. When I do I get a 401 error (before I'd got a 403 error but solved it granting elevated permissions).
I've tried everything (or I think I did):
configuring the stages (requiring check-in)
configuring the custom fields (field not controlled by workflow)
configuring the site collection features (grant workflows app permissions)
But nothing seems to work, I always get:
System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["26"],"SPRequestGuid":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"request-id":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"X-FRAME-OPTIONS":
Any help would be greatly appreciated
The problem was that the admin account running the workflow did not have permissions to access some user groups.
By granting that all user could access to see the members of every group both problems were solved and elevated permissions weren't necessary anymore.
Hope this helps anyone.
I am facing a weird authentication issue for an intranet sharepoint 2010 site.
When a user from site owner group tries to access the site by this URL,
http://machine name:1111/ a windows credential pops up, even if user provides correct login details, he is not able to log in. But when user tries to access this URL, http://machine name:1111/SitePages/Home.aspx he is able to login successfully.
The site uses classic authentication mode.
Please let me know, what could be the reason for such strange behaviour.
Regards
Naimish
Got it resolved now.
The physical directory should have 'Read' rights for Everyone. In my case, the folder 1111 has this rights removed. I have given the said rights and its working fine now.
Regards
If I have windows authentication enabled, anonymous and basic disabled for an individual aspx page in iis6 and in the acl only my user (That I'm logged in as) has full permissions to that file, no other account has been added to the list.
Why do I get an 401.3 access is denied error when the credentials are correct. The credentials box just keeps appearing. I have removed inheritance from the parent directory incase there were any deny permissions, i have checked my account isn't locked and I've even tried using fiddler to see if I can find any problems but I find it confusing.
The only way I could get the page to show is by adding the everyone group into the acl which makes me think even though I have specified windows authentication,it's still using another account but i don't know which one? I tried adding the IUSR account into the acl but still no luck.
Could it be something to do with NTML and kerberos. on fiddler, it says:
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
But I don't know if this is correct ( a bit out my league). So any tips or ideas to look at would be appreciated.
Thanks
401.3 is Unauthorized due to ACL on resource. I would run Process Monitor, reproduce the issue, and search for Access Denied. Then fix the errors by providing appropriate permissions.
http://blogs.msdn.com/b/rahulso/archive/2006/01/18/using-filemon-regmon-to-solve-quot-access-denied-quot-issues.aspx
I know it is very old but make sure these users have access to the main folder of your website:
IUSER,
Network Services
IIS_IUSERS
read and execute is enough
All,
I'm configuring Sharepoint to use forms authentication with LDAP/Active Directory. I'm new to Sharepoint, so if this is obvious, please point me in the right direction.
Whenever I attempt to log in with a bad account or password, I get the very friendly (and correct) error message,
The server could not sign you in. Make
sure your user name and password are
correct, and then try again.
... which implies that Sharepoint is able to communicate with AD. If I log in with a valid account, I get a page that says:
alt text http://img63.imageshack.us/img63/6053/sharepointerror.png
(I added the grey bar to cover up the login name)
Any suggestions? The account I'm logging in with is an administrator and has been granted full control in central administration.
Also, interesting note: If I click the "sign in as a different user" link, and attempt to sign in using with the same credentials I just used, the site just redirects back to the login page, with no error or status message. If I then manually enter the site url, it again shows the "Error: Access Denied" page. Argh.
Go to site action of the actual site and add user in the format of
:loginid
It should resolve and show it underlined then try login in back to application that should fix it.
Your AD connection is working fine just need to add to sharepoint users list
yourprovider:userid
Yourprovider name is the name you gave to the user provider in web config
And you can add this user from parent site that is windows protected and you have all
I suppose it's sharepoint site security issue.
I'm getting the same error when trying to enter Site Settings page with a user that has a lack of permissions.
If you have at least one user that can access the Site Settings page, I suggest you to go to Site Actions/Site Settings/Users and Permissions/People and grops then click New button and add a user from AD to an appropriate group, eg. Team Site Members.
You have made connection with Ad and its working fine. So that you got error, when you try to login with invalid user id.
But you have missed one step in above scenario.
You need to give the permission for all AD users in your SharePoint site. The better way is to create a user group in AD (it may already there) which included all the users and add this user group in your SharePoint site with read permission.