none
Cannot create sub site even with full permission

    Question

  • user cannot create a sub site even if the user has full permission.(i tried even giving full permission at the roort site)

    It gives an error "Sorry, you don't have access to this page ".  Only site collection administrators can create a new sub site.

    The error occurs when i try to create a team site or project site but creating a new blog site doesnt have any problem.

    I am using SharePoint 2013  with SP1

    Can anybody help me in this

    Wednesday, April 23, 2014 11:31 AM

Answers

  • No it is a OTB master page.

    I believe I've now resolved the problem in my case.

    I deleted my current mysites host and also UPS (including corresponding databases) recreated both (make sure mysites is on its own webapp). I then performed a restarted  of all WFE and App servers in farm then performed a Full Profile Synchronization and finished setting up mysites in UPS.

    Now a site owners can create subsites (from their subsite of the root site) with just site owner permission of that site.

    No special permissions are being applied from the top level site and Self Service site creation is off.

    • Marked as answer by rubeesh Monday, June 30, 2014 10:03 AM
    Sunday, June 29, 2014 10:58 PM

All replies

  • 1. Check if you see something in the ULS logs

    2. Check Users permission in Site settings > permissions

    3. Create a new Permission level and add Create subsite option. Add user to this permission and check if you face same issue

    http://office.microsoft.com/en-in/sharepoint-server-help/edit-create-and-delete-permission-levels-HA101805381.aspx

    Wednesday, April 23, 2014 11:41 AM
    Moderator
  • I tried all that and even tried with full permission but no use. Is there anything else to check
    Wednesday, April 23, 2014 11:56 AM
  • What my understanding here is, Users permission to the site has been broken, may be while creating your blog site. 

    In normal behavior of SharePoint it should not happen. But some time its behavior will put you in puzzle. 

    Anyhow, what you can do here is, just delete the user from the site and add them again with same permission.

    One time it happened with me also. So, readding the user solved my problem.

    Thanks,

     


    Rakesh

    Wednesday, April 23, 2014 12:07 PM
  • Check Central Administration->Application Management->Manage web application->User policy for your web application to see the list of users/groups who have user policy set for a hole WA. If user can belong to any of group in that list - check permission level.

    Also check User Permission in the same place - whether checkbox "Create subsites" is checked.

    Wednesday, April 23, 2014 12:17 PM
  • All permissions are checked. Here is the user policy screen. Appreciate ur quick response

    user policy

    Wednesday, April 23, 2014 12:34 PM
  • I dont think that central admin steps is the problem, from the above statement earlier user was able to create sub-site(This rubeesh can confirm).

    Just try my step and check.

    Thanks,


    Rakesh

    Wednesday, April 23, 2014 12:59 PM
  • The problem is not with just one user. Its for all users except site collection admins.

    This is the first time any user tried to create a sub site after UPGRADE from SP 2010, last month. 

    Everything works fine in the test environment, which was also upgraded from 2010 using the same database.

    note: Both production and test environment are having the same configuration. The only difference is that in the production i configured my site in the same site collection and in test its not configured

    Wednesday, April 23, 2014 1:32 PM
  • Let's look into deeper details:

    When you try to create site, the page /_layouts/15/newsbweb.aspx is opening. I guess you can open it but there is an error on submitting. What occurs on the error in ULS log?

    Wednesday, April 23, 2014 2:05 PM
  • Yes  the page /_layouts/15/newsbweb.aspx is opening.  The issue is on submitting 

    From the Log i couldn't figure out much. It only says Could not retrieve a valid windows identity for username(This is same for all the users). But everything works fine if the user is a part of site collection administrator.

    A section of the log: 

    2014 17:49:14.49 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         g220 Unexpected No windows identity for agfund-network\rubeesh. ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.49 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         g220 Unexpected No windows identity for agfund-network\rubeesh. ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         g220 Unexpected No windows identity for agfund-network\rubeesh. ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         g220 Unexpected No windows identity for agfund-network\rubeesh. ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         g220 Unexpected No windows identity for agfund-network\rubeesh. ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51 w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:      at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()     at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()     at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()     at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)     at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)     at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...nnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan time... ca138a9c-5e6c-1039-692e-76e5e7893877
    04/23/2014 17:49:14.51* w3wp.exe (0x0718)                       0x06FC SharePoint Foundation         Claims Authentication         bz7l Medium   ...out)     at  
    Wednesday, April 23, 2014 3:35 PM
  • Interesting. At first, check whether Claims to Windows Token service is running.

    And there is the similiar problem:

    http://social.technet.microsoft.com/Forums/sharepoint/en-US/216c246e-9d45-425a-89f1-48efe7a5ed74/error-could-not-retrieve-a-valid-windows-identity?forum=sharepointadmin

    Wednesday, April 23, 2014 4:23 PM
  • Claims to Windows Token service is stopped in the front end and app servers. 

    Even in test server this service is stopped and there i dont have any problem in creating sub site.

    I have configured my site in the same web application of the site, cud this be a problem

    Wednesday, April 23, 2014 4:44 PM
  • I read through your case again. I have noticed you are upgraded from SP2010. I guess, you had classic auth in SP2010 and now you have claims auth.

    1. Please try to run Claims to Windows Token service (on both front end/app servers). It costs nothing to you.

    2. Have you performed a user migration using standard PowerShell script?

    $wapp = Get-SPWebApplication http://<your root site here>
    $wapp.MigrateUsers($true)
    

    Wednesday, April 23, 2014 7:31 PM
  • I had tried all these but no change.
    Wednesday, April 23, 2014 8:19 PM
  • Make sure Style Resource reader group have all auth user with read access.

    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

    Wednesday, April 23, 2014 8:21 PM
    Moderator
  • I didnt get you. This group already has all auth users. I didnt understand what u mean by giving read permission inside the grp
    Wednesday, April 23, 2014 8:39 PM
  • are you using the Publishing template? then Style Resources Readers & Restricted Reader group will be there.

    Make Sure both Groups have the permission with limited access and restricted read on Pages Library and Style Library.


    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

    Wednesday, April 23, 2014 8:53 PM
    Moderator
  • The problem is when creating a collatbration sites like team site, project site or community site. 

    There is no issue when creaing publishing site, blog,document center,search center etc

    Regarding ur replay "Make Sure both Groups have the permission with limited access and restricted read on Pages Library and Style Library". I have tried this and even tried with full access, but no positive result

    I have created a new site collection and the issue remains same.  Only the user who has full control at web application user control can create the team siteweb app user policy

    • Edited by rubeesh Thursday, April 24, 2014 10:17 AM
    Thursday, April 24, 2014 7:25 AM
  • I think the issue is related to seattle master file page.

    now i cannot access the root site as http://intranet/  (gives me acces denied error)instead i have to type the complete url of home page http://intranet/SitePages/Home.aspx

    Default master page is seatle.master

    Master page

    Thursday, April 24, 2014 1:54 PM
  • Can you check permissions on seattle master page? May be this is a key to the problem.
    Thursday, April 24, 2014 3:57 PM
  • seattle master page inherits from master page library. I have even tried giving full access, but didn't work.

    The access denied error on accessing the root site was solved by setting the key in web config file  aspnet:AllowAnonymousImpersonation to false 

    But still the error on creating team site or project site remains same.

    Thursday, April 24, 2014 4:37 PM
  • couple of things to test.

    1) do you have a saperate web application, try to create a team site collection then try to create subsite

    2) what is your main template for the root Site collection? if it is publishing, try to create a new site collection with Team Site template then test it.


    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

    Thursday, April 24, 2014 5:00 PM
    Moderator
  • Same error even in the new web application
    Thursday, April 24, 2014 5:27 PM
  • then its more about the Web App level or even farm level. 

    try to reset the Object Cache. if it fixed fine otherwise.go for sp1 upgrade.

    As you mentioned in the initial post that you are sp2013 with SP1, 1st release of SP1 having alot of issues, so i would recommend , go ahead and install the re-release version of SP1 from here.

    http://blogs.technet.com/b/stefan_gossner/archive/2014/04/22/sp1-for-sharepoint-2013-has-been-rereleased.aspx


    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

    Thursday, April 24, 2014 5:34 PM
    Moderator
  • Ooook i wil try this. The strange thing is that our test server works fine, but its single server installation.

    Thankz  man. 

    • Edited by rubeesh Thursday, April 24, 2014 8:32 PM
    Thursday, April 24, 2014 5:50 PM
  • Hi Rubeesh,

    Try permissioning 'everyone' read access and your timer service account 'full control' to the following list. I ran across this issue in the past and that resolved the issue.

    http://{Your root site URL}/lists/taxonomyhiddenlist/AllItems.aspx

    Hope this helps! Could you find an article on this but check this thread out.  

    thanks!


    BlueSky2010
    Please help and appreciate others by using forum features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    • Proposed as answer by S_Geo Wednesday, July 22, 2015 7:05 PM
    Friday, April 25, 2014 2:03 PM
  • the list already has the said permission
    Saturday, April 26, 2014 12:55 PM
  • Even the installtion of sp1 re-release couldnt solve the issue
    Thursday, May 15, 2014 1:59 PM
  • You said, "users with full control to web app can create subsite"

    So it is access problem, obviously. Try again to create a subsite (from non-full control user) and watch ULS for any "Access denied" type of errors. Maybe we miss something.

    Friday, May 16, 2014 5:53 AM
  • Hi rubeesh,

    I'm having exactly the same issue where you able to find a resolution?

    Friday, June 27, 2014 5:20 AM
  • No. Planning a fresh farm installation and restore the content db
    Friday, June 27, 2014 6:27 AM
  • I read through the proposed answers, and I once had something similar.

    Let me suggest something totally different:  Check "Self Service Site Creation".  If it is OFF, it explains your phenomena.  Users cannot create sites when it is OFF, but Admins can.  Many companies set this OFF, so users don't go crazy creating a sprawl of sub-sub-sub-sites.  What you need is to turn it ON.

    -mrkcc

    Friday, June 27, 2014 12:32 PM
  • It's already on, as I had configured mysite on the same web application
    Friday, June 27, 2014 2:28 PM
  • Friday, June 27, 2014 3:11 PM
  • I think this may be the root cause of the problem.

    I also configured mysites on the same web application but moved to its own later, seemed this issue started around this time.

    Sunday, June 29, 2014 10:06 PM
  • Tested with it on and off on mine with no success.

    It only effects some site templates too not all.

    Sunday, June 29, 2014 10:11 PM
  • Did u make any update in the master page
    Sunday, June 29, 2014 10:31 PM
  • No it is a OTB master page.

    I believe I've now resolved the problem in my case.

    I deleted my current mysites host and also UPS (including corresponding databases) recreated both (make sure mysites is on its own webapp). I then performed a restarted  of all WFE and App servers in farm then performed a Full Profile Synchronization and finished setting up mysites in UPS.

    Now a site owners can create subsites (from their subsite of the root site) with just site owner permission of that site.

    No special permissions are being applied from the top level site and Self Service site creation is off.

    • Marked as answer by rubeesh Monday, June 30, 2014 10:03 AM
    Sunday, June 29, 2014 10:58 PM
  • Great ... This fixed my issue also. 

    Worked even without recreating UPS. just changed the my site config in the UPS to the new my site host

    Monday, June 30, 2014 10:03 AM
  • Yes, check the 2013 links in the vertical menu on the left, click Site Contents, scroll all the way down, and find there "+ New Subsite".  You can have "Self Service Site Creation" set ON for some Site Collections and OFF for others.  IE: Make sure it is ON for all Site Collections, not just one.

    Monday, June 30, 2014 1:22 PM
  • I have the same problem. I am troubleshooting and have some findings that may help others. To recap the problem, I have one specific site collection in which the site collection administrators can create sub sites using the "Team" site collection (Template STS#0) but other users who are members of the Owners group (and therefore have "Full Permission" cannot create sub-sites using the Team site template with a result "Sorry this site hasn't been shared with you" and the subsite does not exist.

    Note that the ULS logs clearly show SharePoint successfully created the subsite and encounters an error later after applying the STS#0 template. The ULS message " Successfully applied template "STS#0" to web" clearly indicates the site was created ok and the template applied. We can therefore rule out the theory that users in the Owners group do not have enough permission ("Check User permissions...etc.") to create subsites, both because users can get to the Create Site page ok and because they can create subsites that use a different templates ok.

    We can also rule out the theory that you should have Claims to Windows Token service running. This cannot be the issue -- at least in my case -- because I have two other site collections in the same farm in the same Web Application where the problem does not occur. Users who are members of the Owners group can create Team sub-sites just fine in those other site collections (and I don't have Claims to Windows Token service running).

    Like you, I became suspicious of Claims Authentication because of the entry in the ULS log that rubeesh also had that says, "Claims Authentication      SPSecurityContext: Could not retrieve a valid windows identity for username <then my user name appears here>".

    However, that Claims Authentication ULS log entry comes only *after* the killer "Unexpected        Exception attempting to ApplyWebTemplate to SPWeb"

    Going back in the ULS log, it seems the first sign of trouble is the entry that says, "SharePoint Portal Server    Content Following  Unexpected        Could not follow the url <the url of my failed subsite appears here>"

    Finally, I decided there must be something wrong with my site collection. (I know, duh.) I created a new site
    collection in the same farm in the same web app using the same template and the same content db as the broken site collection. I created the standard permission groups (Owners, etc.) just like the broken one, and added users including myself to that new site collection owners group. Using this new site collection, I successfully created a subsite using my credentials and specifying the Team site template. NOTE: I did not have to delete the MySite Host or re-create my User Profile Synch. Now I am using Metalogix Content Matrix to copy all the subsites from the broken Site Collection to the fixed site collection and will have to deal with the changed URL somehow. Hope this helps.


    M. Cox

    Saturday, March 21, 2015 10:32 PM
  • Worked for me, thanks
    Wednesday, July 22, 2015 7:05 PM
  • I faced the same issue yesterday and the below solution worked for me

    Gave read access for SharePoint Taxonomy Hidden List for all authenticated users operating within the site collection.

    you can find that list by browsing directly to - /Lists/TaxonomyHiddenList.

    The post is old but just posting so that it helps others.

    • Proposed as answer by Steven Hahn Thursday, October 8, 2015 8:06 PM
    Tuesday, September 8, 2015 5:41 AM
  • M.Ahuja's workaround seems to work.

    From research on the /lists/TaxonomyHiddenList - the permissions should look like this:

    Hidden

    (Read isn't an option in 2013 for some reason).   

    On the problem site, System account was present, but not "Authenticated Users".


    Steve Hahn


    • Edited by Steven Hahn Thursday, October 8, 2015 8:39 PM Found more information
    Thursday, October 8, 2015 8:12 PM
  • This was the fix for me! 

    UCHKEV

    Wednesday, December 6, 2017 4:49 PM