IIS6 access denied error 401.3 - iis

If I have windows authentication enabled, anonymous and basic disabled for an individual aspx page in iis6 and in the acl only my user (That I'm logged in as) has full permissions to that file, no other account has been added to the list.
Why do I get an 401.3 access is denied error when the credentials are correct. The credentials box just keeps appearing. I have removed inheritance from the parent directory incase there were any deny permissions, i have checked my account isn't locked and I've even tried using fiddler to see if I can find any problems but I find it confusing.
The only way I could get the page to show is by adding the everyone group into the acl which makes me think even though I have specified windows authentication,it's still using another account but i don't know which one? I tried adding the IUSR account into the acl but still no luck.
Could it be something to do with NTML and kerberos. on fiddler, it says:
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
But I don't know if this is correct ( a bit out my league). So any tips or ideas to look at would be appreciated.
Thanks

401.3 is Unauthorized due to ACL on resource. I would run Process Monitor, reproduce the issue, and search for Access Denied. Then fix the errors by providing appropriate permissions.
http://blogs.msdn.com/b/rahulso/archive/2006/01/18/using-filemon-regmon-to-solve-quot-access-denied-quot-issues.aspx

I know it is very old but make sure these users have access to the main folder of your website:
IUSER,
Network Services
IIS_IUSERS
read and execute is enough

Related

Blueprism Code Producing 403 Forbidden Error

I am trying to use Blueprism to download pdf files from Sharepoint.
I am using the below code. Url and Path are both variables which get passed through. This is producing a 403 forbidden error. I believe that Blueprism is required to pass credentials to Sharepoint before it will be allowed to download the file. Is this possible?
Using wc As New System.Net.WebClient()
wc.DownloadFile(Url, Path)
End Using
I don't think you have a password related issue, likely the SharePoint is recognising your account access via AD group or SSO of some kind. 403 means the server has understood your request but is denying to fulfil it because of an access reason on the profile you have. Make sure you can manually download the file on the profile you are emulating for a start then also check the profile the bot is operating under (not necessarily yours in some cases ) has access to said file.
Literally 403 is a request that relates to an access issue so somewhere something doesn't have the correct access lined up
First of all, is this a Sharepoint Online or OnPremises version? As you understand, you are connecting to web resource via an API and as such you have to get authenticated and authorized to access those resources.
If it's SPO, you can use the API component for SharePoint integration from DX and configure.
In case of SP On prem, you have to customize a lot to achieve your results.

UnauthorizedAccessException for limited permissions user via REST API

not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features

Project server WorkFlow, permission issues

I am developing a workflow using Project Server 2013 and sharepoint designer.
Everything works fine until I try to set the value of a project field. When I do I get a 401 error (before I'd got a 403 error but solved it granting elevated permissions).
I've tried everything (or I think I did):
configuring the stages (requiring check-in)
configuring the custom fields (field not controlled by workflow)
configuring the site collection features (grant workflows app permissions)
But nothing seems to work, I always get:
System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["26"],"SPRequestGuid":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"request-id":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"X-FRAME-OPTIONS":
Any help would be greatly appreciated
The problem was that the admin account running the workflow did not have permissions to access some user groups.
By granting that all user could access to see the members of every group both problems were solved and elevated permissions weren't necessary anymore.
Hope this helps anyone.

SharePoint 2013 access denied error after successful login

SharePoint is showing strange behavior that when I use my Custom login page which is using the credentials entered to get authenticated by my Custom Security Token service (Trusted Identity provider) for SharePoint. When my Identity provider sends a response to SharePoint, it redirects me to this URL
http://WebAppURL/_layouts/15/AccessDenied.aspx
Which should not appear because my identity provider has authenticated it, I was messing around with things and then while doing that I changed my URL from the above mentioned to
http://WebAppURL/ (Got rid of _layouts/15/AccessDenied.aspx)
It worked now whenever I log into my sharepoint webapp I first get this access denied page and then I have to change my URL, I get all the claims sent by my Identity provider.
Now If anyone out there can help me with this redirection issue? The realm I am giving while registering my IP-STS with SharePoint I append
http://webappURL/_trust/default.aspx
and also tried
http://webappURL/_trust as well but no success.
Any help or suggestion is appreciated. Thank you.
It turns out that permission to the site collection master page gallery had been removed. So even though the users had permissions to the master page gallery on the subsite, they were getting access denied errors on the subsite. We're not sure how the permissions on the site collection master page gallery were removed.
or see if this helps here.
In my case, I needed to update the permissions on the /_trust directory to include Everyone with Read permissions.

sharepoint permissions issues - "Access Denied"

I am trying to replicate a production issue in my dev environment but am running into permissions issues, where a user in the "Contributor" group gets an access denied error. Furthermore, if I make this user a Site Collection administrator he still gets the same access denied error.
Why is this happening? How do I fix?
UPDATE: I do not have a problem when I log in from inside my VM in the dev environment. The problem must be that my dev environment is its own domain. So the question becomes, how can I log in from a machine not in the domain? I'd like to avoid extending the web application if possible.
UPDATE 2: By the way, I'm able to log in the site from my host OS fine when the credentials I use are of the "System Account."
Troubleshooting Access Denied errors is something that plagues me daily... so I feel your pain.
I am assuming this user is trying to access some page in SharePoint. From my experience, if even one Web Part on the page is accessing something the user does not have access to, the entire Access Denied page is shown.
One way to troubleshoot access to the SITE (not the page) is by visiting the "All Site Content" page: /_layouts/viewlsts.aspx. If they can get to this page, then it is something wrong with the page and not the site.
Next I would try exporting and then DELETING (not closing) webparts from the page to determine which one is causing the problem. Since you have a dev environment, I assume you could do another restore if things get too mucked up.
when do they get the access denied error? hitting the site?
are you sure that the user you're adding to the group is the same user you're logging in as? Sometimes if you have multiple user stores you can add different users to the group: DOMAIN\joe.user, forms:joe.user, someotheraccountstore:joe.user, etc.

Resources