I am trying to replicate a production issue in my dev environment but am running into permissions issues, where a user in the "Contributor" group gets an access denied error. Furthermore, if I make this user a Site Collection administrator he still gets the same access denied error.
Why is this happening? How do I fix?
UPDATE: I do not have a problem when I log in from inside my VM in the dev environment. The problem must be that my dev environment is its own domain. So the question becomes, how can I log in from a machine not in the domain? I'd like to avoid extending the web application if possible.
UPDATE 2: By the way, I'm able to log in the site from my host OS fine when the credentials I use are of the "System Account."
Troubleshooting Access Denied errors is something that plagues me daily... so I feel your pain.
I am assuming this user is trying to access some page in SharePoint. From my experience, if even one Web Part on the page is accessing something the user does not have access to, the entire Access Denied page is shown.
One way to troubleshoot access to the SITE (not the page) is by visiting the "All Site Content" page: /_layouts/viewlsts.aspx. If they can get to this page, then it is something wrong with the page and not the site.
Next I would try exporting and then DELETING (not closing) webparts from the page to determine which one is causing the problem. Since you have a dev environment, I assume you could do another restore if things get too mucked up.
when do they get the access denied error? hitting the site?
are you sure that the user you're adding to the group is the same user you're logging in as? Sometimes if you have multiple user stores you can add different users to the group: DOMAIN\joe.user, forms:joe.user, someotheraccountstore:joe.user, etc.
Related
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
I am developing a workflow using Project Server 2013 and sharepoint designer.
Everything works fine until I try to set the value of a project field. When I do I get a 401 error (before I'd got a 403 error but solved it granting elevated permissions).
I've tried everything (or I think I did):
configuring the stages (requiring check-in)
configuring the custom fields (field not controlled by workflow)
configuring the site collection features (grant workflows app permissions)
But nothing seems to work, I always get:
System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPClientServiceRequestDuration":["26"],"SPRequestGuid":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"request-id":["94133bac-d37e-4a3d-84c6-ed9c1db025b8"],"X-FRAME-OPTIONS":
Any help would be greatly appreciated
The problem was that the admin account running the workflow did not have permissions to access some user groups.
By granting that all user could access to see the members of every group both problems were solved and elevated permissions weren't necessary anymore.
Hope this helps anyone.
SharePoint is showing strange behavior that when I use my Custom login page which is using the credentials entered to get authenticated by my Custom Security Token service (Trusted Identity provider) for SharePoint. When my Identity provider sends a response to SharePoint, it redirects me to this URL
http://WebAppURL/_layouts/15/AccessDenied.aspx
Which should not appear because my identity provider has authenticated it, I was messing around with things and then while doing that I changed my URL from the above mentioned to
http://WebAppURL/ (Got rid of _layouts/15/AccessDenied.aspx)
It worked now whenever I log into my sharepoint webapp I first get this access denied page and then I have to change my URL, I get all the claims sent by my Identity provider.
Now If anyone out there can help me with this redirection issue? The realm I am giving while registering my IP-STS with SharePoint I append
http://webappURL/_trust/default.aspx
and also tried
http://webappURL/_trust as well but no success.
Any help or suggestion is appreciated. Thank you.
It turns out that permission to the site collection master page gallery had been removed. So even though the users had permissions to the master page gallery on the subsite, they were getting access denied errors on the subsite. We're not sure how the permissions on the site collection master page gallery were removed.
or see if this helps here.
In my case, I needed to update the permissions on the /_trust directory to include Everyone with Read permissions.
If I have windows authentication enabled, anonymous and basic disabled for an individual aspx page in iis6 and in the acl only my user (That I'm logged in as) has full permissions to that file, no other account has been added to the list.
Why do I get an 401.3 access is denied error when the credentials are correct. The credentials box just keeps appearing. I have removed inheritance from the parent directory incase there were any deny permissions, i have checked my account isn't locked and I've even tried using fiddler to see if I can find any problems but I find it confusing.
The only way I could get the page to show is by adding the everyone group into the acl which makes me think even though I have specified windows authentication,it's still using another account but i don't know which one? I tried adding the IUSR account into the acl but still no luck.
Could it be something to do with NTML and kerberos. on fiddler, it says:
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
But I don't know if this is correct ( a bit out my league). So any tips or ideas to look at would be appreciated.
Thanks
401.3 is Unauthorized due to ACL on resource. I would run Process Monitor, reproduce the issue, and search for Access Denied. Then fix the errors by providing appropriate permissions.
http://blogs.msdn.com/b/rahulso/archive/2006/01/18/using-filemon-regmon-to-solve-quot-access-denied-quot-issues.aspx
I know it is very old but make sure these users have access to the main folder of your website:
IUSER,
Network Services
IIS_IUSERS
read and execute is enough
I have using SSRS 2008r2 on Windows2003 server and added Domain Users group as a System Administrator via report manager. However, when I mimic an ordinary user in report manager web interface on my computer(member of the domain) I get;
User 'usera' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
if I try with user a on the server by using FQDN, it it shows same error above.
If I type localhost instead, it does work. while using localhost, it I navigate to a folder and while I am in a folder and change the localhost to FQDN, it still works.
There are lots of solutions on the web, like the one on http://skamie.wordpress.com/2010/06/24/ssrs-and-uac/, but it did not work..
Does anyone have any idea?
Many Thanks
Regards
Have you tried right-clicking on IE and select Run as Administrator?
I have to do that from time to time on my development machine so it is sort of first solution that came to mind. Hope it helps.
Additional answer:
So the Domain Users group has System Admin role. You can try adding that group as Browser role or Content Manager role at the root folder.