locked
Getting Access denied when nav to the Shared Service instance

    Question

  • I created a Shared Service on my server a few days ago using the local administrator account.  I have since created a separate Windows account (belongs to the Administrators group) for myself to use.  I'm able to do everything in the Central Administration site but accessing this instance of Shared Serviced created a few days ago.  What specific access rights does it need?  My windows account is in the Farm Administrators group too.
    Friday, January 26, 2007 10:57 PM

Answers

  • Try adding the second admin to the site collection admins of the SSP admin site. That should help.
    Friday, February 9, 2007 11:28 AM

All replies

  • Bob,

    Log into Shared Services using the same account you used to create the SSP a few days ago with.  There is a permissions seperation between Shared Services and the Central Administration.  You simply need to add your account you want to access with.

    Hope this helps

    Saturday, January 27, 2007 6:04 AM
  • I'm having the same problem. 2 Domain admins, both in MOSS 2007's Farm Administrators group, but only one (the one first used to install/config MOSS) can open the default SSP's admin page. I was even able to make a test domain user, add it to the domain admins group and the farm administrators group then use it successfully to get to the SSP admin page. But my other admin's account still can't, and its the only thing on the server and in MOSS he can't do.

    We who are having this problem can already tell there is a separation somewhere. What we need to know is not that a separation exists, since that is clear, but we need to know WHERE it is. WHERE do I go, WHAT do I do specifically to overcome it?

    ArieMichal

    Thursday, February 8, 2007 9:46 PM
  • Hey friend im just trying to help here so please keep the tone down.   :)

    Did you add you other Administrator to the SSP portal?

    Thursday, February 8, 2007 10:14 PM
  • Try adding the second admin to the site collection admins of the SSP admin site. That should help.
    Friday, February 9, 2007 11:28 AM
  • I, too, have had this problem.
    My only way of solving it so far is to create a new SSP and then re-assign the other sites to the new SSP. The busted SSP can then be removed via IIS.

    I know that this will have some implications as to content that was already created in other sites but it is the only way for me to move forward.
    What I am learning is that the Shared Services is a special site. Without adequate documentation I'm flying blind.

    MOSS 2007 is a huge improvement over previous versions but still has a way to go before it is a manageable product.
    I would love to see MS do a better job of streamlining the Admin user, SSP admin, with a set of defaults or recommendation via EXAMPLEs.


    Wednesday, February 21, 2007 7:01 PM
  •  kiral wrote:
    Try adding the second admin to the site collection admins of the SSP admin site. That should help.

    Exactly! Thanks a lot, kiral.

    Ole Thomsen

     

    Sunday, February 25, 2007 2:31 PM
  • Thanks a lot Kiral.  That fixed the problem for me.  It really makes sense since a new top level site wouldn't know what accounts need to be in the admin group other than the account creating it.
    Saturday, March 3, 2007 5:27 AM
  • Has anyone run across this situation:

    I cannot logon to Shared Services with the account used to install it, or any other account?

     

    How can I tell which account created it? I just want to verify that I am using the right account to access it.

     

    Thanks,

    Matt

     

    Monday, August 13, 2007 7:03 PM
  • Thanks so much Kiral.  I had this same issue and your fix worked perfectly.  This stuff isn't very intuitive.

    Wednesday, September 12, 2007 1:54 PM
  • You can find out the account by looking at your App Pool for your SSP.  Try logging in with that account

     

    Saturday, September 29, 2007 6:09 PM
  • I am facing this issue with accessing newly created SSP and never had issue like this.

     

    I can't access the admin site of SSP with any of accounts (set up user, farm admin , ssp pool and ssp service) used to setup but can access settings page like /_layouts/settings.aspx or searchsspsettings.aspx. SSP setup user has full control and added farm admin as well with full control.  But nothing happened and still can'taccess the ssp admin site

     

    If I change the Authentication provider to Enable anonymous access, I can see admin site for one or two clicks. I configured it on many server but never had this issue. Only difference with this is SQL Server is running under local system accout.

     

    But no result.

     

    Thanks,

     

    Saturday, October 6, 2007 7:46 AM
  • I wrote a blog Give a user access to SSP that should help all of you with permissions.  For the person having problem logging in with any account you could try the blog link to from that post Become Administrator of the Entire Web Application and give yourselft access to the whole web application.

     

    Shane - SharePoint Help

    Saturday, October 6, 2007 2:18 PM
    Moderator
  • I've got a similar issue.  I can't access the SSP admin site at the base url, I get access denied.  If I put in

    http://servername/ssp/admin/_layouts/settings.aspx  I can access all settings.  I added additional users.  Still no luck accessing main http://servername/ssp/admin.  The new users can access the settings.aspx page directly.

     

     

    Monday, October 15, 2007 5:07 PM
  •  

    We are having this same problem.  We are not able to access the Shared Services Provider site with the account I just used to create it, the sp farm account, ssp-app account, or ssp-service account.  I have tried the above suggestions including adding the accounts as full application administrators, as farm administrators, and as site administrators through the _layouts/settings.aspx page which we can also get to directly.  We have loaded MOSS many times in the last few weeks in our lab and come across this issue ALOT.  Any other suggestions would be greatly appreciated.  Thanks.

     

     

    Edit:

    I finally found the answer, it was just much further down the google tree than I normally go.    It appears to be a bug where sharepoint builds the app pool but insists on running it with the ssp service account instead of the app account that gets entered and won't let you change it.  I created a new app pool by hand with the correct account and moved my ssp data to it as suggested here http://faraz-khan.blogspot.com/2007/06/moss-2007-cannot-login-into-ssp.html .

    It worked like a charm!  Hope this helps.

    • Proposed as answer by Jeremy Thake Thursday, August 21, 2008 2:07 AM
    Saturday, October 20, 2007 11:58 PM
  • The bottom line is (As stated here and links referenced here) that you should not name your SSP the same as the Application Pool for the Administration site of the SSP.

    What I concluded and is not obvious from the documentation is that there are two (2) application pools associated with the SSP:  One, is created automatically by the SSP creation process and it is named exactly like the SSP.  This AppPool is configured to run with the SSP_SVC account we provide.  The second is the AppPool that will be associated with the Administration Application (site) for the SSP.

    If this was made clear from the beginning, we might not be tempted to name the SSP and the Admin site's AppPool the same.  Instead, I now might name things like this:

    SSP Name: MOSS_SSP_01

    AppPool Name: MOSS_SSP_01_Admin (this tells me it's the AppPool for the admin site of the SSP_01)

    I hope this helps.

    Monday, October 6, 2008 4:28 PM
  • The post by kiral - Posted on Friday, February 09, 2007 5:28:30 AM worked for me. But it's easy to get confused. When you go to assign a site collection administrator, note that you can choose another web application. You need to choose the one associated with your Shared Services Provider site. Each web application can support multiple site collections. Each site collection may have both a primary and secondary site collection administrator. So, if you go to Central Admin, Application Management, Site Collection Administrators, and see your account as the secondary site collection administrator, you might be confused and think your account is assigned access to the shared svcs provider. But look carefully at the drop-down "Site Collections" and explore a bit further.
    • Edited by David K Allen Monday, December 29, 2008 8:11 PM clarify context
    Monday, December 29, 2008 8:09 PM
  • Have been going around in circles on this one. In the end the problem was not related to any account or application pool privileges, but rather to a 'loopback security check'.

    Have blogged about it here.

    Apologies if this post shows up several times, as I am posting it as a response to several other similar threads on technet.
    Thursday, May 21, 2009 8:52 AM
  • I have the same problem, i tried all posibles solutions, but the problem i can't resolve.

     

    I found a solution log me with firefox, with Internet Explorer i Can´t but firefox i don't have problem.


    leon
    Wednesday, August 5, 2009 8:16 PM
  • The SSP is a totaly diffrent security matrix than the Central admin and this is by sharepoit design. When a SSP is created only the account  that it was created with has access to the SSP. Log in to the SSP and go to site actions> site Settings > SIte collection administrators and add your users in theie. This then allows those users to log in ot the SSP with the regular account.

    In a large scale portal you will not necissarily have the farm administrators and the SSP administrators as the same group.
    Thursday, September 3, 2009 3:10 PM
  • This is an old thread but I thought I would post an answer here for those searching. Most of the posts have all the typical things to try and they will msot likely work. However, we ran into this issue today and after checking all the usual suspects without success I thought of another scenario.

    We are working with a staging environment for a larger MOSS deployment. Since the staging servers were setup exactly like the production farm the same URL was used for everything http://customersite. Later this was changed due to DNS confusion so that the staging site (non-admin stuff) runs at http://customerstaging. I noticed the SSP admin URL was still using the old URL and, sure enough this was trying to hit production.

    So I went into Alternate Access Mapping in Central Admin/Operations (under the Global Configuration section) and changed the SSP (and all others) to the new URL - voila we have access again. Don't forget to check IIS host header names as well.
    Madrona
    Friday, September 4, 2009 10:38 PM
  • Hi All

    I have a strange one. The SSP does not allow anyone to log on. You are challenged for credentials (which are correct) and you receive the SharePoint access denied please logon as a another user.

    I have found a fix of some sort which is to run the SharePoint Products and Technologies Configuration Wizard which seems to work for a short time then fails again! I think this may be to do with Group Policy overiding something so if I find anything will post back.

    BTW its not the issue with 401 Access denied as per my blog http://www.paulgrimley.com/2009/05/401-access-denied-unable-to-search.html.

    I may decide to recreate the SSP if it takes too long...

    Many Thanks
    Paul Grimley 
    • Proposed as answer by Paul Grimley Wednesday, February 3, 2010 8:11 PM
    • Unproposed as answer by Mike Walsh FIN Friday, January 27, 2012 9:30 PM
    Tuesday, February 2, 2010 9:38 AM
  • I managed to resolve my problem and a blog entry explaining the reolution can be found here http://www.paulgrimley.com/2010/02/access-denied-trying-to-access.html
    • Proposed as answer by Paul Grimley Wednesday, February 3, 2010 8:13 PM
    • Unproposed as answer by Mike Walsh FIN Friday, January 27, 2012 9:30 PM
    Wednesday, February 3, 2010 8:12 PM