Sign in
 
HomeOnline20132010Other VersionsRelated ProductsLibraryForumsGallery
TechCenter >
Permissions stripped on site with Alternate Access Mapping

Отвечено Permissions stripped on site with Alternate Access Mapping

  • Friday, May 11, 2012 4:15 PM
     
     
    Sign In to Vote
    0

    Hi,

    I have a site (Default) with an extended site (extranet). Extranet is set up with FBA while default site using NTLM.

    I am a farm admin and site collection admin on both zones. Everything was working great until I set up AAM on each. I also added an SSL cert to the extranet site.

    http://sub.site.com
    https://sub.site.com  

    Now, when I go into the default zone, I only have read permissions. I even went in and added myself as Full Control in the User policy. So now I'm farm admin, site collection admin, and a full control user. For some reason, on the main site, I can only read. I don't even see the recycle bin and I only have "Sync to SharePoint Workspace and View All Site Content" under Site Actions. If I go to a subsite, it looks like I have "design" permissions. I can create lists and libraries but no permissions editing.

    If I log in the extranet site (https) as an FBA user (one that I added as site collection admin), I can do everything. Anybody have any idea what might be causing these issues?

    edit: I just logged in to the default app with the original url (without AAM) and it gave me all of my permissions except when I go to add someone, the people picker gives me an error "An error has occurred in the claim providers configured from this site collection." I did not get this error before I set the AAM. I also have not modified the web.config for the default zone since that one isn't using FBA.

    From ULS: 05/11/2012 12:17:25.43  w3wp.exe (0x1DC4)                        0x2344 SharePoint Foundation          Claims Authentication          8307 Critical An exception occurred in AllUsers claim provider when calling SPClaimProvider.FillHierarchy(): Object reference not set to an instance of an object.. 9987ec9a-51f6-46c2-bf78-c4b6091b8118

    edit again: Well the error above with the people picker was becausing I was accessing it from a different URL - not the one set in AAM. I'm still baffled on what happened to my permissions on the default zone though...

    • Edited by spJC Friday, May 11, 2012 4:41 PM
    •  
     

All Replies

  • Friday, May 11, 2012 9:22 PM
     
     
    Sign In to Vote
    0

    Update: I've been trying different things for the past 4 hours and I noticed that when (logged in to the extranet site) I changed the visitor's group permissions to "Full Control", it then gave me full control on the main site (logged in as AD user). The visitor's group contains "All Authenticated Users".

    So, for some reason, this app is not paying attention to any other groups (or farm admin or site collection admin) except the visitors group. AND it's only on the initial site, all subsites seem to work correctly.

    Does anyone have any ideas?


    • Edited by spJC Friday, May 11, 2012 9:23 PM
    •  
     
  • Monday, May 14, 2012 4:20 PM
     
     Answered
    Sign In to Vote
    0

    After much research, I read on one site that host headers and AAM don't work well together. I ended up deleting the app(s) but keeping the content databases and sites. I went back in and created a new default app, set the host header to the one I wanted to use (the one I had as an AAM), used the existing site and database, and did the same for the extranet app. Everything seems to be working great now.

    I tried adding the old host header back as an AAM to see if that worked but it didn't. I started having the same problem again.

    I also noticed that if I created a new extended app (Intranet) and set the AAM url as the host header for that app, it also fixed the issue.

    • Marked As Answer by spJC Monday, May 14, 2012 4:29 PM
    •