Add New Group - Access Denied error - sharepoint

We have a really strange problem.
My userid is a farm administrator and it a site collection admin on the site in question.
If I add a new group (to manage permissions), once I click the OK button on the create group page I get thrown to the Error: Access Denied page.
Here's the strange part, the group gets created.
If I try to add a user to that group, I get the access denied page but the user is not put in the group.
If I try to delete the group I get an error page that says Cannot complete this action. Please try again.
It appears to be only happening on this one site (and it's sub-sites).
There is nothing in any of the sharepoint logs or the event logs.
It has got to be a permission problem but I don't know what.
EDIT ------------------------------------ EDIT
After some more research I found this BLOG post. It states that a .NET 2.0
hotfix is the culprit of the problem and states that removing it will fix the problem.
I can't removed the hotfix because it is not installed.
Are we doomed to be stuck with this problem?
END EDIT

Sounds like maybe one of the system pages in _layouts has wacky permissions on it. Look in the IIS logs (not SharePoint logs) for a 401, 403 or 407 (or really, any HTTP code above 400) error for your user around the time you try to add/delete a group. This might point to the page that is having the problem, which will give you something to go on.

if you host your sharepoint web applications somewhere other than the default location that IIS/SP uses; check to ensure that the Users group has read to the Bin directory of the affected application. For some reason when this particular app was created it failed to add the Users group to the Bin directory with Read as it normally would under normal circumstances. This is easily testable and fails and succeeds with consistency. the only thing I've noted that it affected was the issue regarding adding New Users to a site through the Sharepoint site GUI.
This is the error received when digging through my SP logs:
Application error when access /_layouts/aclinv.aspx, Error=Access to the path 'D:\ProdSites\SP-ProdSites*****\bin' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption) at System.IO.DirectoryInfo.GetFiles(String searchPattern, SearchOption searchOption) at System.IO.DirectoryInfo.GetFiles(String searchPattern) at System.Web.Configuration.CompilationSection.LoadAllAssembliesFromAppDomainBinDirectory() at System.Web.Configuration.CompilationSection.LoadAssembly(AssemblyInfo ai) at System.Web.Configuration.AssemblyInfo.get_AssemblyInternal() at...
This is the error I was showing in the IIS logs:
2009-09-09 13:48:19 W3SVC1237373898 IP GET /OOD/_layouts/aclinv.aspx GroupId=9&Source=http%INFO2Fpeople%2Easpx%3FMembershipGroupId%3D9 80 domain\user IP Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+OfficeLiveConnector.1.4;+OfficeLivePatch.1.3;+86e) 403 0 0
maybe people have already checked this but it took me a bit. I looked for patch KB928365 and it wasn't present (lots of other posts are recommending the removal of this patch to fix this issue).
Also, the behavior was different in QA and Production as the acct I was using to add New Users to the site in QA had elevated priviledge due to its inclusion in the WSS_admin_wpg group (possibly due to the fact that its a farm admin in QA?)

Related

Email Attachments to SharePoint Document Library - Error

I have this weird problem when I try to use a simple default flow template to save email attachments to the company main SharePoint site: company.sharepoint.com (not subsite).
So I get started, by taking all the defaults of this flow, however, once i get to the point of providing the site address and document library path I get the error highlighted in red.
Where I get confused is that when I create a subsite like company.sharepoint.com/sites/testsite I enter the subsite address and the folder path automatically populates the folder structure for me to pick where I want to save such attachment.
I have given full owner permission to this test account with same results. So permission is not the problem.
My question is, could it be I'm using the wrong flow to save to a main SharePoint site? or this is something not allowed?
You could check the connector and recreate a new connection to SharePoint.
In many cases, an error code of 403 appears in a flow fail because of an authentication error. If you have this type of error, you can usually fix an authentication error by updating the connection, please make sure you have update the connection.
You could refer to this article.
Just in case anyone has a similar problem, the account to which you are creating a power automate flow must be a site collector to the root SharePoint site.

How to find which security permission is preventing a user from doing something

Dynamics CRM 2011 on premise.
I have a plugin that adds some buttons to the ribbon on the case/incident form.
Different users have different security permissions.
The buttons are enabled for all users.
When some users press the buttons they perform the expected operations.
When other users press the buttons they do not seem to do anything.
Other than permissions, I think everything else is the same for the users.
How can I find which permission(s) are causing the problem?
(Also, shouldn't CRM say something if permissions are blocking a user from doing something? We don't get an error.)
The Xrm Tool Box has an access checker that would help in this situation.
The way security works in CRM when querying data is that you do get an exception if the user attempts to perform a select on an entity that they have no read rights at all for. But, if the use has rights to view only records that they own, they'll get an empty result set if they attempt to query records they don't own. I'm guessing that's what's going on here, is that they're attempting to query data that the have read rights for, but not at the Organization level, or whatever the exact level that they need.
From Suumit Bhatanagar at https://community.dynamics.com/crm/f/117/p/113149/228873.aspx
You may collect verbose level of traces , would direct you in the right direction. Simply reproducing the issue by clicking on the button and then stop the traces.
For traces , you may look into : http://support.microsoft.com/kb/907490
From DavidJennaway at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
Enable tracing and the trace log will indicate the privilegeid and systemuserid - you can then lookup the privilegeid in the privilege entity.
Be aware that the trace log will record all instances where a user doesn't have permission - this includes the scenario where CRM checks if a user has any permission on an entity to decide if the entity should be shown in the UI
From Roshan Mehta at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
Check the Event Viewer. This usually gives sufficient information about missing privileges when a plugin fails to run under user context.
Alternatively, you can run the plugin under SYSTEM context in which case this error will not occur. To do this, pass a null value into the CreateOrganizationService method when instantiating service objects in your plugin.
From Imran I Abbasi at http://social.microsoft.com/Forums/en-US/55c22571-0187-4a64-9cc1-94954fa8bdf7/how-to-find-which-security-permission-is-preventing-a-user-from-doing-something
David is right, there isn't any easier way to get to the root of your issue. Enable tracing and then use privilegeId (a GUID) from tracing file against Privilege entity in database to get details of missing privilege. To simplify your quest, you can use TraceLogViewer to filter your log file and get only the errors. Here is the link: Trace Log Viewer
And here are the steps to enable tracing in crm 2011
here are the steps
1- -> Start -> run -> regedit.exe
2- HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > MSCRM
3- Add new keys
TraceEnabled
TraceRefresh
DWORD, value = 1

SharePoint Alternate Access Mapping error when indirectly using web services

SharePoint web site = http://myexample:3500
SharePoint tester (admin on domain, admin on SharePoint site collection) = IAmKyle
Alternate Access Mapping: I left it at the default which is http://myexample:3500 maps to itself, and the zone is "default".
My code was deployed as a farm solution and my .dll is in the GAC. I activated a feature on my site collection (url is above). What the code does is, when the user updates a SharePoint item, my code executes a LINQ query finding "related" items. Then the related items are updated. Here are the errors I get:
On Windows Event Logs:
Error loading and running event receiver [my receiver assembly]. Object reference not set to instance of an object.
On SharePoint ULS event logs:
Same error as I see in Windows Event logs. Also, I was getting errors about "alternate access mapping" not being configured for http://myexample:3500 but I'm not getting them anymore. Don't know why, I haven't changed anything.
On IIS logs
Getting some 401 responses for pages that I should be able to access. But, it only shows the tail end of the page in some cases e.g. "/mysite/mypage" so I'm unsure what the full URL is.
These errors are very confusing, my code 100% works on my test system. What network or sharepoint configurations should I be looking for? I'm assuming my code itself works fine considering that it does work on my test environment. Of course, I have more permissions on test since my username on test is the user who created the farm.
Thanks.
Do you get these errors when trying to activate the feature or when actually making a change to a list item?
Also, have you tried attaching the VS debugger to the process and having a look at what is going on?

Site members/visitors get access denied error page because of webpart

I`v developed custom webpart. I can add it to page and site owners can view page with no problems.
However Site visitors/users get redirected to access denied error page. Sure, I must be doing some stuff normal users are not allowed to.
But the thing that bugs me is that when I place breakpoint in webpart constructor or even variable declaration it won't get hit! (If i try to view page with limited privileges). But in my browser, I get the access denied page. However, if I close that webpart, I instantly have access to that page and everything is OK.
What's the catch here? I was hoping I could catch exception with debugger to see which statement is guilty one, but it seems webpart doesn't execute any code and I get that exception.
Edit: Sorry, turns out debugger now hits those breakpoints. Don't know what changed, because symbols were loaded.
What is the trust level at your Sharepoint site ? You might want to give Fulltrust temporarily to see if you have any access problems.
If yes, then you might have a Code Access Security (CAS) problem on your hands. My first instinct is that your assembly does not have neccessary privilages to run correctly for normal users.
You can configure it using custom CAS entry in the manifest.xml for the webpart, e.g. if you are calling external resources then you might have to configure System.New.WebPermission and define which url you are allowed to access. You can find more info on this at the U2U site.
Also what does your webpart do ? If you are trying to access resources which normal users don't have access to (e.g. a list in some site) then you have to use the SPSecurity.RunWithElevatedPrivilages method, so that you have the neccessary privilages (be careful to create new Site instance within that method so that the Context populates correctly).
Found the solution.
Turns out that i wanned to determine if user belongs to a specific group by trying to access that group users. As this was impossible if a user doesn't have such a permissions, it was throwing some kind of internal exception with message
"Unable to evaluate expression because
the code is optimized or a native
frame is on top of the call stack."
Anyways, i now learned to loop through SPUser.Groups (SPGroupCollection) and check if we have a matching group rather than enumerating group principals and seeing if he's inside.
You need to give permission(update personal webpart) to the visitor group. However, it is not recommended. If you want you can create a separate permission level and associate it with the visitors group.
Cheers!!

SharePoint 403 error for users not exist in "All People"

It is complex, I'll trying to describe it here.
If the user and his group have no access rights to anything on the SP site, the user will get a proper "Error:Access Denied" SharePoint page upon logon.
If the user has some access to something through his group membership, then
a. If the user is listed in the All People list, then the user can logon and use the site with no problem.
b. If the user is not listed in the All People list, then the user will get a IIS 403 Error page. Back on the server, there will be an event of "A process serving application pool '[IIS app pool name]' suffered a fatal communication error with the World Wide Web Publishing Service", which indicates a crash in the IIS app pool. If the user is keen and keeps trying, he can crash the app pool frequently and eventually cause the app pool to stop and the application is down!!!
We are using forms authentication and Asp.net membership provider and role provider. It appears that when 2b is happening, SP is repeatedly (should be only once) calling membership provider GetUser method (until the fatal communication error is coming up I guess). I believe it is for the initila user profile import. When 2a is happening, the GetUser method is not called.
We can manually do things like adding the user to the Visitors group and then taking the user out of the Visitors group, which will add the user to the All People list so he will be able to log on. During the manual process, the membership provider GetUesr is also called but just once and works fine.
This problem only just started occuring recently and only in one environment (the PRODUCTION!). It was all fine and the other environments UAT and training environment both don't have this issue. We've compared the environments and checked all the obvious and couldn't find any differences that could cause this. The production has got around 110 users, which is more than the other environments but still not a lot.
Anyone out there can help?
Based on the comment below it looks like the error is occuring in the custom implementation of GetUser, after the call to the web service. It is also only occuring in the environment that has the most data.
The next thing to check therefore is the code between the call to the web service and the return of getuser. Do you have any arrays where the max length is set? Do you make any assumptions about which data is contained i a spesific item in an array? How do you check/log that the web service is returning a valid result?
Hope this helps
Shiraz
Cause of the problem found. The advanced setting on All People list has got Item Level Edit permission set to none.

Resources