none
Users get “You are not authorized to access this application” on IAG 2007 application links RRS feed

  • Question

  • Hi
    I'm new to IAG, so this might be (and probably is) my fault having missed something really obvious...
    I have an issue with the config of the IAG portal… hoping that you may know what it is that is either missing/wrong or I have screwed up…

    What I have is IAG 2007 running on Windows 2003 R2 SP2, the IAG system is fully patched including the very lastest SP2 Update 3.

    I have a situation where only domain admins can use any of the applications that relate to a sharepoint server. (I have tried creating the links as sharepoint applications and as intranet applications, but neither works for my users, but work fine for domain admins). 

    An example of the application link is http://servername/name/Lists/Announcements/AllItems.aspx
    Under Web Servers I have the address type as IP/Host and have both the server name and the ip address in under addresses.
    I have the authentication for these links set to “all Users are Authorised”. My users can see these links (they are meant to), and they are not greyed out.

    My test users (on my machine) can log in directly to the sharepoint server (obviously when they are in school only) and have the correct access and can use it and upload if they have upload rights etc… It is just when they click on the application from the portal home page (again on my machine) to any link on the sharepoint server, they cannot access it, whereas the same application link I can access it as a domain administrator - so I know the application link is correct and it is not an issue with the machine they are using.

    They get the error “You are not authorized to access this application”

    The error in the log files/web monitor relates to this bit of information…
    Warning #62: Unauthorized Access Attempt
    Symptoms
    A remote user attempts to access an application from the portal homepage. The request is denied, and the following message is displayed in the browser window: "You are not authorized to access the application."
    Cause...

    All of other applications work including the file access and home drive access, intranet (held on a separate server), the wcbs portal links (web page interface for separate sql server) and OWA 2007. All work fine for said users.

    What I don’t get is
    a) they have permission to view the application,
    b) they have authorization to access the application
    c) it works fine if we bypass portal and go direct through Internet Explorer on my machine, my domain login, but their sharepoint login details
    d) everything else that I have created in the same way works fine including other IIS server links e.g. Intranet which I also manage.

    I am convinced that this is not a sharepoint server issue having even enabled annonymous access on the sharepoint server as a temporary measure to rule out authentication issues just in case.

    I have tried adding them into the application explicitly to give allow and view access to them as instead of “all Users are Authorised”.

    Do you have any thoughts please?

    Thanks

    Emma

    Wednesday, April 21, 2010 7:57 AM

Answers

  • Hi Dennis I have finally found some one who knew what the problem was... Nothing to do with the config, or the application type etc, everything there was correct. It has turned out that it was the order that the applications were in in my list of all things. Having a sort alphabetically tick box available (even if it does not actually work), it had not actually occured to me that the list order had any particular relevance and as with all things in IT, you create the test stuff first relating to the IT dept to get things working, so I have a top level sharepoint link in my list at the top with domain admins only access. Further down the list order were then the live links (given new stuff adds to the bottom of the list) that I wanted my users to see for the same server and even though I had all users authorised ticked, it turned out that the order of the list is important and basically my top level access of domain admins for that server was over-ridding the permission lower down the list order (that being the application pool list order). thanks for your input though. Emma
    • Marked as answer by Keswadmin Thursday, April 22, 2010 12:25 PM
    Thursday, April 22, 2010 10:08 AM

All replies

  • Hi Emma,

    I suspect your issue is related to how IAG is passing on credentials to Sharepoint on behalf of the user.

    IAG only gives the "You are not authorized to access this application" error message if the real web server (sharepoint) tells IAG that the credentials you are providing is invalid.   The authorization settings specified in IAG has nothing to do with this error.

    Verify that your using the shortname under the "Domain" field in the AD repository that you created. 

    ie.  Domain  (correct)
    ie.  domain.com (incorrect)

    I recommend that you use the the "Sharepoint Server 2007" template and not the one that says Backwards Compatibility.  You can follow the article below for help on configuring this.  http://blogs.technet.com/edgeaccessblog/archive/2008/10/12/publishing-sharepoint-with-iag-2007-part-1-what-is-sharepoint-aam-and-why-do-we-need-it.aspx

    Make sure you didnt enable anonymous in IIS on a SharePoint server itself.   This will cause Kerberos | KCD to fail.

    Thanks

    Dennis

     

     

     

    Thursday, April 22, 2010 6:02 AM
  • Hi Dennis I have finally found some one who knew what the problem was... Nothing to do with the config, or the application type etc, everything there was correct. It has turned out that it was the order that the applications were in in my list of all things. Having a sort alphabetically tick box available (even if it does not actually work), it had not actually occured to me that the list order had any particular relevance and as with all things in IT, you create the test stuff first relating to the IT dept to get things working, so I have a top level sharepoint link in my list at the top with domain admins only access. Further down the list order were then the live links (given new stuff adds to the bottom of the list) that I wanted my users to see for the same server and even though I had all users authorised ticked, it turned out that the order of the list is important and basically my top level access of domain admins for that server was over-ridding the permission lower down the list order (that being the application pool list order). thanks for your input though. Emma
    • Marked as answer by Keswadmin Thursday, April 22, 2010 12:25 PM
    Thursday, April 22, 2010 10:08 AM