none
Access Denied Suddenly Happening RRS feed

  • Question

  • Hi,

    We have suddenly started getting an access denied message on all workspaces in our WSS 3.0 SP3 installation. Things were working fine last week and up until we had a general power failure for the building over the weekend. Ever since the server has come back up users are unable to add anything to their workspace.

    As an example we are trying to add an event into a Calendar and when you click on the time you get an access denied message. You are asked to logon as another user or request permission. No premissions have changed and I have tried with accounts that are in the Team Site Owners group. I am not seeing anything in the event logs for the times we try.

    I have taken over managing this software without a great deal of experience in it so am struggling to see what is happening.

    Thanks
    Peter Haase

    Wednesday, January 23, 2013 4:14 PM

Answers

  • Hi,

    This doesn’t make sense, you should be able to add some permissions via Central Admin and the Policy and this will reflect on the site for that user.  Then that user can add permissions to other users for the site at the site level.

    You mentioned AD cannot authentication users.  If that is the case, we are not running into an issue with SharePoint permissions which is Authorization.  Authorization and authentication is not the same in regards to security. 

    As for backups, the only thing that would happen is the site is placed into read-only mode until the backup completes.  Try running another backup and having that reset the lock or running the command line to manually set the lock: http://technet.microsoft.com/en-us/library/cc262811(office.12).aspx

    I would recommend open a support ticket and have an engineer take a closer look at this if you’re still having problems.  There might be some other factors we are not seeing.


    Regards, Savoeurn Va Microsoft Online Community Support

    • Marked as answer by Otago70 Thursday, February 14, 2013 2:27 PM
    Thursday, February 14, 2013 1:36 AM

All replies

  • Are users having issues accessing other resources on the network since the power failure? Did your SharePoint server(s) shutdown or simply power off?

    Are you seeing events in the Application event log?


    Jason Warren
    Infrastructure Architect

    Wednesday, January 23, 2013 5:54 PM
  • No we aren't having issues with access to any other resources. The server would have simply powered off after the battery backup ran out. (It occurred overnight with no one in the premises)

    There has been a couple of 3760 errors and 1 2424 error in the Application log today. We are also seeing a number of 1309 ASP.NET errors but the message points towards a separate product that is installed on the server.

    Peter

    Wednesday, January 23, 2013 6:50 PM
  • Hi,

    Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support.

    Thanks,

    Entan Ming

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttnmff@microsoft.com.


    Entan Ming
    TechNet Community Support

    Thursday, January 24, 2013 7:13 AM
    Moderator
  • Hi,

    We need to understand the issue a little better.  There will be two kinds, one generated from IIS and the other generated from SharePoint.

    The access denied generated by SharePoint will usually have a banner on the page and a link to return back to the previous page.  This would be an authorization issue where permissions have changed.

    If it is from IIS, then what could happen is users are prompted for user credentials.  Based on your description it seems like it is being caused by IIS when a POST is sent to the server.  I would check the authentication settings on IIS to make sure that they are correct. 

    If you are running IIS 7 a quick way to troubleshoot is to use FRET: http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis

    You will need to capture the 401 messages.

    Another gotcha is in IIS, if the host header settings do not match up with the Alternate Access Mapping settings in SharePoint, then you can be prompted for credentials as well.


    Regards, Savoeurn Va Microsoft Online Community Support

    Monday, January 28, 2013 1:12 AM
  • Hi

    It's a Sharepoint access denied error. No permissions have been changed on the workspace in recent times. The access permissions I see are:

    Team Site Members - Contribute
    Team Site Owners - Full Control
    Team Site Vistors - Read

    Our domain users are part of the Team Site Members group and our Administrator user along with my personal user are part of the Team Site Owners group.

    Thanks
    Peter Haase

    Monday, January 28, 2013 8:38 PM
  • Does anyone have an update on what might be causing my issue?

    Thanks in advance
    Peter

    Thursday, January 31, 2013 9:34 PM
  • Hi Peter,

    Since you're reporting that it’s a SharePoint Access denied let’s do this as a next steps.

    Enable verbose logging on the SharePoint farm. http://technet.microsoft.com/en-us/library/cc288649(office.12).aspx

    Make note of the exact time and then have a user browse to the site.

    After the user experiences the access denied make note of the time.

    Return logging levels back to default.

    Locate the ULS logs that contain the start time and end time of the test.

    In these logs look for PermissionsMask messages.  There should be several entries and they will have some hex codes.  Once you locate those post them here.


    Regards, Savoeurn Va Microsoft Online Community Support

    Tuesday, February 5, 2013 2:47 AM
  • Hi Savoeurn,

    Here are the messages from the log file:

    02/05/2013 15:10:30.52  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000005, have 0x00000000 
    02/05/2013 15:10:30.52  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000015, have 0x00000000 
    02/05/2013 15:10:30.52  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000005, have 0x00000000 
    02/05/2013 15:10:30.52  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000015, have 0x00000000 
    02/05/2013 15:10:30.52  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000041, have 0x00000000 
    02/05/2013 15:10:30.55  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00040000, have 0x00000000 
    02/05/2013 15:10:30.55  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x00000004, have 0x00000000 
    02/05/2013 15:10:30.55  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x20000000, have 0x00000000 
    02/05/2013 15:10:30.55  w3wp.exe (0x0EE0)                        0x134C Windows SharePoint Services    General                        8xfr Verbose  PermissionMask check failed. asking for 0x30000000, have 0x00000000 

    Peter

    Tuesday, February 5, 2013 8:15 PM
  • Hi Peter,

    This user that is attempting to hit the page does not seem to have any rights tied with their user account.  Also if this user is part of a group, then the group might be suspect as well.

    We can see this by this message: have 0x00000000.   This means this user does not have any rights. 

    Here is what I would suggest you try.  Go into Site Settings and Permission Levels.

    Select Add Permission level.  Give it some name and do the Select All box.  This will effectively be similar to site admin.

    Now add a user to this permission level and have this user browse to the site.

    If they are able to get into the site and work normally again, then something happened to the permission levels and you will to reset it.  Try the same with a group.

    If that did not work, then something might be corrupted on the site.  If you have a backup of a known time of when it worked you can restore to that.  If that still does not work, then I’d suggest open a support ticket to do a deeper look as to what is happening.


    Regards, Savoeurn Va Microsoft Online Community Support

    Wednesday, February 6, 2013 6:22 PM
  • Hi Savouern,

    Neither of those things worked. I was able to add a permission level in central administration but not on the site. The option to add a permission level or any user to a security group is not available, even to our domain administrator accounts. I can see that the domain administrator and my personal account both have full control but neither works. It's like the site has lost it's connection to Active Directory and can't authenticate any users.

    I tried a restore but I get access denied as well.

    Am I able to install WSS on a different server and then restore from the last backup I have from when the original server was working?

    I've just realised something else that I failed to mention earlier. When the server shutdown due to the environment power failure WSS was in the middle of it's weekly backup. Other backups have completed since then. Is here something in the backup process that locks the site for changes until the backup is complete? Could that have corrupted somehow?

    Regards
    Peter


    • Edited by Otago70 Wednesday, February 13, 2013 7:13 PM
    Wednesday, February 13, 2013 6:49 PM
  • Hi,

    This doesn’t make sense, you should be able to add some permissions via Central Admin and the Policy and this will reflect on the site for that user.  Then that user can add permissions to other users for the site at the site level.

    You mentioned AD cannot authentication users.  If that is the case, we are not running into an issue with SharePoint permissions which is Authorization.  Authorization and authentication is not the same in regards to security. 

    As for backups, the only thing that would happen is the site is placed into read-only mode until the backup completes.  Try running another backup and having that reset the lock or running the command line to manually set the lock: http://technet.microsoft.com/en-us/library/cc262811(office.12).aspx

    I would recommend open a support ticket and have an engineer take a closer look at this if you’re still having problems.  There might be some other factors we are not seeing.


    Regards, Savoeurn Va Microsoft Online Community Support

    • Marked as answer by Otago70 Thursday, February 14, 2013 2:27 PM
    Thursday, February 14, 2013 1:36 AM
  • Savoeurn, thanks for your help it is much appreciated. When I checked the lock state of the site it was showing readonly. I set this to none and now everything works. I totally missed the possibility of being in the middle of a backup causing the issue especially as other backups have completed successfully since.

    Thanks again for you help!

    Peter

    Thursday, February 14, 2013 2:30 PM
  • We had this happen after installing a CU - May 2016 to be specific.

    There is a technet article but basically it has to do with the cache ids being in the 2010 format

    https://technet.microsoft.com/en-us/library/ff758656.aspx


    Andrew

    Thursday, November 24, 2016 6:19 PM