You do not have permissions to do this
operation. Ask your website
administrator to change your
pemissions and then try again, or log
on with another account that has this
permission. To log on with another
user account click ok.
I need some help regarding the above error. After applying SP1 pack on our SharePoint Server 2007 (MOSS 3.0) the workflows aren't working anymmore on one of the WebApplications (located in SSP2) Workflows work, however on other existing applications (on SSP1 or SSP2) or newly created applications (on SSP1 or SSP2).
Details of error: 1. Default / Built in SharePoint Workflows are not starting 2. Sharepoint Designer Workflows throwing the following error message: "You do not have permissions to do this operation. Ask your website administrator to change your pemissions and then try again, or log on with another account that has this permission. To log on with another user account click ok. " 3. Before applying the SP1 on MOSS the workflows were working perfectly fine on this WebApplication.
so far: 1. I am logged in as Administrator (bot on Sharepoint site or when working with Sharepoint Designer). 2. Administrator is included in the list Site Collection Administrators 3. I noticed in Sharepoint designer that the username used for creating the workflow is 'converted' into SHAREPOINT\system (in the Modified By Column).
Has anybody come accross/fixed this error?
Any help much appreciated. Thanks D
You need to Disable the Loop Back check, this is something introduced in SP1 to avoid running things as the System Account for security purposes.
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Please understand that this feature exists for a reason, and you should configure your accounts properly to avoid the problem.
Related
A colleague of mine suggested that I could fix this error in the GPO. It is a windows 2016 server.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
I’m not sure if this issue affects the functionality of your app, and as the documentation says, you don't need to fix this issue if it has no effect on function.
These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events.
If it has effect on your application, you can follow these steps to fix it:
Open the registry editor as an administrator and nagvigate to HKEY_CLASSES_ROOT\CLSID{D63B10C5-BB46-4990-A94F-E40B9D520160}. If you are in the right location, you also see the APPID as a value. Remember the application name, you can see in the Data column, the corresponding Name column shows (Default).
Right click the {D63B10C5-BB46-4990-A94F-E40B9D520160} and click Permissions, then choose Advanced.
In the advance security setting window, click Change and type your administrator account. Then click OK.
In the "Permissions for..." windows, select the Administrators and activate the Full Permissions checkbox.
Repeat step 1 to 4 to add permissions for APPID{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}.
Open Component Services as administrator. Navigate to Component Services-Computers-My Computer-DCOM Config. Find the application by application name remembered in step 1 and right click the Properties.
Go to the Secutiry tab, choose the appropriate action. You can choose Launch and Activation Permissions, set to Customize, and Edit.
Click the name that applies to you and click the appropriate permission.
If permissions can't be changed, you may need to take ownership first.
See also https://www.kapilarya.com/fix-event-10016-error-the-application-specific-permission-settings-do-not-grant-local-activation-permission-in-windows-10
I have created the list workflow and just printing the history log to print a test message. I am trying to publish the workflow using my account but it always returning me below warning error message.
You do not have permission to do this operation. Ask your site
administrator to change your permissions and then try again, or log on
with a user account that has this permission. To log on with a
different user account click OK.
I did below workaround but did not get work:
Checked the site permissions for my account, all permissions are working correctly. I have full control, design and contribute access.
Checked the permissions for SharePoint designer, this is working fine. I am Primary administrator from central admin.
Checked the application pool. This is working fine.
Reset the IIS.
Also restarted the server as well once.
Can any one please advise what is the exact issue here?
You could try to install the latest update for SharePoint Designer. Check if it works for you.
1.Install SPD SP1:https://support.microsoft.com/en-us/help/2817441/description-of-microsoft-sharepoint-designer-2013-service-pack-1-sp1
2.Then install the latest update: https://support.microsoft.com/en-us/help/3114721/august-2-2016-update-for-sharepoint-designer-2013-kb3114721
We have upgraded TFS 2012 to TFS 2013 and did not have sharepoint installed before. So i installed tfs sharepoint components on a sharepoint server and tfs server and connected them. Everything is fine except excel reports and they give me the following error:
External Data Refresh Failed
The data connection uses Windows Authentication and user credentials could not be delegated. The following connections failed to refresh: TfsOlapReport
i have made sure Claims to windows authentication service is running.
To fix the error, please follow steps below which are quoted from this blog.
On the Team Foundation Server Administration Console, click Extensions for Sharepoint Products.
Select the Sharepoint Web Application which you are using.
Click Modify Access
Enter a user with access rights to the reports inside the Enterprise Application Definition field
Browse to Central Administration in Sharepoint
Select Manage Service Applications
Select Secure Store Service (Type: Secure Store Service Application)
Under Manage Target Applications, Click on New
Enter Target Application ID = "TFS", Display Name = "TFS", Contact Email="Whatever", Target Application Type = "Group", Target Application Page URL = "None" and click Next
Do not enter anything on this page as it's asking for fields name and not the actual credentials.
Enter Target Application Administrators and Members and click ok.
it will take you back to the page that was displayed after performed step 3.
Now right click on "TFS" and select "Set Credentials" and then enter the username and password that this account will be running under.
Now login to the TFS Server and click extensions for Sharepoint products.
Select the sharepoint web application you are using.
Click Modify access.
Enter "TFS" under the Enterprise Application Definition field.
Also just to make sure "Excel Service applications are configured properly, Click on "Excel Service Application "Type: Excel Services Application Web Service Application".
Click on Trusted File Location and make sure the site collection is added to the Trusted File Location and location type is "Microsoft Sharepoint foundation". under Trust children check "children trusted". under Allow external data select "Trusted data connection libraries and embedded".
Go back to page displayed after step 14 and select "Global Settings".
File access method = "impersonation", Under Analysis Services EffectiveUserName, check "Use the EffectiveUserName property".
Check "Use an existing Unattended Service account" radio button and under Target Application ID: enter "TFS".
Also make sure under Trusted Data Providers, the providerid your excel application is using is listed.
While installing SharePoint Server 2013 I am finding the above error in the Configuration Wizard.
This error is occurred while generating Sample Data for SQL.
It gives me an error in the 8th step out of 10 steps.
I have tried to find out the solution for that and I have came to know that I need to set Full Access rights permission for WSS_ADMIN_WPG user.
But I did not find any folder that starts with "Analytics_GUID" in the "C:\Program Files\Microsoft Office Servers\15.0\Data\Office" Server Path.
Can anyone help me out in this.
I had the same problem. You also need to ensure that the account you are installing with has sufficient permissions in the SHAREPOINT SQL Server instance.
To grant your account sufficient SQL permissions:
open SQL Server Management Studio
connect to the SHAREPOINT instance ( named server\SHAREPOINT )
in the left tree expand Security | Logins and select your account
right click and select Properties
in the login properties dialog select Server Roles
select all of the checkboxes to grant yourself every role.
click ok.
See this article for details: http://www.sharepointpitstop.com/2013/09/the-sddl-string-contains-invalid-sid-or.html
Following is the pertinent part of the article:
1) Check if the account used for installing SharePoint 2013 has dbcreator and security admin permission in SQL Server.
2) Browse to "C:\Program Files\Microsoft Office Servers\15.0\Data\Office Server" and find the folder that starts with Analytics_GUID.
3) Right-click -> Properties ->Sharing ->Advanced Sharing. Check the "Share this folder' check box and click on Permissions.
4) Granted full access to everyone.
5) Added WSS_ADMIN_WPG to the sharing with full access.
6) Ran the SharePoint 2013 Products Configuration Wizard again and this completed successfully.
Is there a way to force sharepoint 2010 to popup the dialog to ask the user for a username and password and not use the computers logged in user, if that user doesn't have access.
We need an internal sharepoint website to not use the windows credentials, since these are computers used by many people. The windows user doesn't have access to the site, so currently it shows an access denied, click here to log in as another user. We would prefer if it just asked for credentials in a more graceful manner.
There is a way to configure Internet Explorer to do this. In Internet Explorer(IE),
Go to Tools
Click Internet Options
Click on the Security tab
Click on the button labeled Custom Level.
Scroll to the very bottom of the list
Select the option labeled Prompt for user name and password.
The default option Automatic logon only in Intranet zone' is what is causing IE to send the credentials to SharePoint. This of course would force everyone to log in on that computer.
Forms Based Authentication is the answer. You can modify the Login page and even where the users credentials (username/password) are stored (e.g. a SQL database rather then AD).
Use browser other than IE to access the SharePoint site from the community computers.
I am guessing you work in a corporate environment, which would mean your computers are probably managed by your IT department and part of your domain. Because they are part of your company's AD (Active Directory), your systadmins Should be able to modify the existing policy (i say existing, because in IE, the defaults for the settings relating to logging on are by default set so that you WOULD have gotten a logon prompt, i am guessing a group policy is already in effect). If it does not exist, have your admins create one.
The setting Jeremy mentions is one option. It could also be that the site is in included in your IE's "Local Intranet Zone". If it is, or, more probable, there is a wildcard *.yourdomainname.yourdomainextension).
Use the setting mentioned by jeremy to override the default logon behavior (automatic logon) associated with sites listed in the intranet zone.
A group policy can be applied to a group of computers or all the computers in the domain. If the policy should be applied to a small group of computers only, put those computers in a separate OU (Organisation Unit) in AD and apply the policy to that OU.
What about creating a new zone, secured with FBA, for those community computers? As long as the users of the community computers are given only URL for the new zone, you should be OK.
You can create 2 registry files to turn this behavior on and off for the Internet Explorer. Use Notepad to paste the values below, ensure that Windows Registry Editor Version 5.00is the first line, and that you're appending 2 blank lines at the end of the file (press 2x Enter).
To turn it on (i.e. always ask for credentials): AlwaysAsk.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
To turn it off (automatically use credentials, only ask if necessary): AutomaticLogon.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
This is useful for testing, espcecially if you're a developer in a corporate environment where you can't easily change the policy settings on your PC (but you need elevated rights, i.e. you have to run it as Administrator).
Note that the 1st key is for the local machine, the 2nd key is for the current user (currently logged in), which is needed to activate it immediately.
If you need more details about the values, check out this link:
Internet Explorer security zones registry entries for advanced users