23 December, 2009

Authenticated Users get Access Denied when Browsing to Site- 403 Forbidden

When NT Authority\Authenticated users were added to a windows sharepoint services 3.0 site, users other than the users directly permissioned to site, or Site Collection Admins would receive a 403 Forbidden error when they woudl try to browse to the Default.aspx page.

ULS Logs would show:
============================================================
Access Denied for /default.aspx.
StackTrace: Microsoft.SharePoint.Utilities.SPUtility:Void
HandleAccessDenied(System.Exception), Microsoft.SharePoint.SPGlobal:Void
HandleUnauthorizedAccessException(System.UnauthorizedAccessException),
Microsoft.SharePoint.SPWeb:System.String GetWebPartPageContent(System.Uri,
Microsoft.SharePoint.WebPartPages.PageView, System.Web.HttpContext, Boolean,
Boolean, Boolean, Boolean, Boolean ByRef, Byte ByRef, System.String ByRef,
System.Guid ByRef, Int64 ByRef, System.Guid ByRef, UInt32 ByRef, System.String
ByRef, Byte ByRef, System.Object ByRef, UInt32 ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.Object ByRef,
System.String ByRef, Boolean ByRef, System.Guid ByRef),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:System.String
FetchWebPartPageInformationForInit(System.Web.HttpContext,
Microsoft.SharePoint.SPWeb, Boolean, System.String, Boolean, Boolean ByRef, Byte
ByRef, System.Guid ByRef, UInt32 ByRef, System.String ByRef,
Microsoft.SharePoint.SPFileLevel ByRef, System.String ByRef, System.String ByRef,
System.String ByRef, System.String ByRef, System.Guid ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.String ByRef,
System.String ByRef, System.Object ByRef, Boolean ByRef, System.Guid ByRef, Int64
ByRef), Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:Void
GetFileForRequest(System.Web.HttpContext, Microsoft.SharePoint.SPWeb, Boolean,
System.String), Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
InitContextWeb(System.Web.HttpContext, Microsoft.SharePoint.SPWeb),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
SPWebEnsureSPControl(System.Web.HttpContext),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
GetContextWeb(System.Web.HttpContext),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
PostResolveRequestCacheHandler(System.Object, System.EventArgs),
System.Web.HttpApplication+SyncEventExecutionStep:Void
System.Web.HttpApplication.IExecutionStep.Execute(),
System.Web.HttpApplication:System.Exception ExecuteStep(IExecutionStep, Boolean
ByRef), System.Web.HttpApplication+ApplicationStepManager:Void
ResumeSteps(System.Exception), System.Web.HttpApplication:System.IAsyncResult
System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext,
System.AsyncCallback, System.Object), System.Web.HttpRuntime:Void
ProcessRequestInternal(System.Web.HttpWorkerRequest), System.Web.HttpRuntime:Void
ProcessRequestNoDemand(System.Web.HttpWorkerRequest),
System.Web.Hosting.ISAPIRuntime:Int32 ProcessRequest(IntPtr, Int32),
==================================================================

after detailed analysis and debug of the w3wp process, we found two columns with non standard settings in the content database. In the AllList table the columns called tp_readsecurity and tp_writesecurity, for the “User Information List” have the values set to 2 & 4 respectively. The default value for both columns is 1.

Tp_readsecurity

Value="1">read all items
Value="2">read only my items
Value="4">read none


Tp_writesecurity

Value="1”>write all items
Value="2">write only my items
Value="4">write none

The value 2 for tp_readsecurity will only allow a user to read their own items. So reading the items does not occur because it is trying to read the items in the “user Information list” that are not their own. The value 4 for tp_writesecurity does not allow write to this list so you will not be able to add users. Since they have not or cannot be added into the list, there was an exception being thrown and this is the reason for the 403 Forbidden.

RESOLUTION/WORKAROUND:
===========================
1. Open the site you are having trouble with, but make sure you open the site
with site collection admin/owner rights.
2. Browse to the URL:
http://portal/sites/site/_layouts/advsetng.aspx?list={GUID}
3. This List ID will vary.
4. You can also get to this list by Browsing to the root of your site, Site
Actions> Site Settings> Advanced Permissions> Click on the All People link
in qiuck launch> Then select List Settings, then Advanced Settings
5. This method will also get you to the above URL and probably easier than
having to poke thru the DB to find the GUID of that list.
6. Change the Read Access Value to “All Items”
7. Change the Edit Access to “All Items”
7. This will modify those values in the database back to 1 and 1
8. Authenticated Users should now be able to access the site.

I hope the above information will helps you to resolve this issue !! Thanks !!!

22 December, 2009

Access Denied when attempting to create a new page

When attempting to create a page by clicking Site Actions Create Page, the user immediatly receives an Access Denied. This occurs even if the user is a member of the Site Owners group with Full Control.

ERROR MESSAGE: Access Denied

CAUSE:
===========
The access denied was a result of the user not being a part of the Style Resource Readers group. According to technet, this group allows a user to read the Master Page Gallery and Restricted Read the Style Library. By default, this group contains only the NT AUTHORITY\Authenticated Users group. This will allow all users who have authenticated to the site to read the Master Page gallery and Style Library.

RESOLUTION:
====================
1) Open the site you are having issues with
2) Click Site Actions Site Settings
3) In the Users and Permissions section, click People and Groups
4) Click Groups
5) Click Style Resource Readers
6) Click New Add User
7) In the Add Users section, click the Add all authenticated users link
8) Click OK

I hope the above information will helps you to resolve this issue !! Thanks !!