locked
Access Denied but Users Should Have Access? RRS feed

  • Soru

  • OK I have had 2 users now tell me they are getting access denied.  I have doubled and tripled checked and they are in the SharePoint group giving them Contributor access.  I have tried removing them and re-adding them and still they get access denied.  I am looking at event logs and not seeing anything.  I see nothing in the log files.  Is there some way I can increase the logging and it tell me why it is giving them access denied when they should have access?  I am pulling my hair out on this cause it makes no sense.
    Billy S.
    17 Mart 2010 Çarşamba 15:45

Yanıtlar

  • Does the homepage contain any of the web parts that you installed on the weekend?

    If so, have you tried removing them from the page and seeing if that makes a difference?
    • Yanıt Olarak İşaretleyen Billy Strader 17 Mart 2010 Çarşamba 19:19
    17 Mart 2010 Çarşamba 19:15

Tüm Yanıtlar

  • You might try doing an IIS reset...it may be a little extreme but would get rid of anything that may be cached and keeping those permissions from updating...

    To enable more verbose logging, open the Central Admin site and the Operations page within it. In the Logging and Reporting section, click the Diagnostic Logging link. Within the Diagnostic Logging page you can configure the amount of information collected for all events within your farm, or for certain types of events.

    You should also take a look at the IIS logs and see what kind of information is being reported when the user tries to authenticate, the HTTP error codes may give you some more information as well about the type of issue you're having.

    I doubt this will be helpful if the users are not able to access a specific site but can get to others within the farm, but you may want to take a look at the security logs on your domain controllers (assuming you're using AD and Windows Authentication) to see what errors, if any, are being reported there...

    John
    MCTS: WSS v3, MOSS 2007, and SCOM 2007

    Now Available on Amazon - The SharePoint 2007 Disaster Recovery Guide.
    17 Mart 2010 Çarşamba 16:25
  • Hi Billy,

    There was a pretty similar post to this yesterday... not sure if it is the answer to your particular problem but...

    http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/31fa9ee6-a399-405e-9b06-2567da1933f8

    Is your site a publishing site, and is your master page checked in and published?

    Paul.
    17 Mart 2010 Çarşamba 16:45
  • OK in the Diagnostic Logging... which Category should I set and what should I set the "Least critical event to report to the event log " & "Least critical event to report to the trace log" to?

    Reseting IIS right now isn't really an option :(

    As for IIS logs... Here is what I am seeing (Please note I did do a little scrubing to keep private information out of it):

    2010-03-17 15:43:25 W3SVC1034295614 SERVERNAME1 127.0.0.1 GET /sdm/mitis/webrpt/KBSrvc - 443 domain\username 1.1.1.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+InfoPath.2) WSS_KeepSessionAuthenticated=443;+previousLoggedInAs=DOMAIN+AFw-USERNAME;+loginAsDifferentAttemptCount=1;+MSOWebPartPage_AnonymousAccessCookie=443 - my.domain.com 200 0 0 459 702 46
    2010-03-17 15:43:26 W3SVC1034295614 SERVERNAME1 127.0.0.1 GET /sdm/mitis/webrpt/KBSrvc/default.aspx - 443 domain\username 1.1.1.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+InfoPath.2) WSS_KeepSessionAuthenticated=443;+previousLoggedInAs=DOMAIN+AFw-USERNAME;+loginAsDifferentAttemptCount=1;+MSOWebPartPage_AnonymousAccessCookie=443 - my.domain.com 302 0 0 1013 469 1672
    2010-03-17 15:43:26 W3SVC1034295614 SERVERNAME1 127.0.0.1 GET /sdm/mitis/webrpt/KBSrvc/_layouts/AccessDenied.aspx Source=https%3A%2F%2Fmy%2Edomain%2Ecom%2Fsdm%2Fmitis%2Fwebrpt%2FKBSrvc%2Fdefault%2Easpx&Type=list&name=%7BE7BD7961%2DA280%2D490E%2DB1A1%2DE59A90E38928%7D 443 domain\username 1.1.1.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+InfoPath.2) loginAsDifferentAttemptCount=0;+WSS_KeepSessionAuthenticated=443;+previousLoggedInAs=DOMAIN+AFw-USERNAME;+loginAsDifferentAttemptCount=1;+MSOWebPartPage_AnonymousAccessCookie=443 - my.domain.com 200 0 0 7714 669 31


    Only part there I see a little questionable is where it says:

    ;+previousLoggedInAs=DOMAIN+AFw-USERNAME;

    Where is it getting the +AFw- part?  Is that normal?  I have checked again and DOMAIN\username has contributor access.  I have even added them to the owner's group.  I am just not seeing why they are getting denied.

    We are using AD with NTLM authentication.  The user has tried both FireFox & IE 6 ....  I am just really confused about what the issue might be.

    Now one thing I did notice about this user and the other user reporting the same issue is, I have just an AD account.  They have a AD Account & a contact entry in AD.  So they have a DOMAIN\username account plus a username contact in AD.  Could that be an issue?  I am reaching for anything at this point.
    Billy S.
    17 Mart 2010 Çarşamba 16:51
  • Site isn't a publishing site.  Just a basic Team Site.

    The master page isn't checked out or anything.

    Was just talking to one of the users and they had access last week.  Now this week they do not.

    This weekend I did install some Web Parts and restarted IIS on the WFE.  The Web Parts I installed were:

    Advanced Alert for SharePoint - http://www.codeplex.com/AdvancedAlert
    Bamboo Solutions - Calendar Plus Web Part - http://store.bamboosolutions.com/sharepoint-calendar-plus-web-part.aspx
    Employee Spotlight Web Part - http://www.synergyonline.com/blog/blog-moss/Lists/Posts/Post.aspx?ID=102
    Google Maps for SharePoint from a List - http://googlemapswebpart.codeplex.com/
    Quick Launch Extender - http://quicklaunchextender.codeplex.com/
    RSS Feed Reader - http://www.codeplex.com/FeedReader

    Those are the changes there were made this weekend.

    Other users are working just fine... Another thing, it appears both users who are having issues changed their passwords this week.  But I don't see how that could have broken things :(
    Billy S.
    17 Mart 2010 Çarşamba 17:03
  • Just a guess, but have you had the users clear their local IE cache and try again?  Sometimes IE holds onto old credentials.  Is the site trusted by the browser?  Is it set to autologin with NT ID and PW? 

    Also, I didn't see a 401 response code in the IIS Logs that you posted.  Is IIS stopping them or do they see the SharePoint page that indicates an invalid login?
    Dan Luciano - Sogeti USA - MCP, MCTS WSS 3.0 and MOSS 2007 Configuration WSS 3.0 Applicaton Development
    17 Mart 2010 Çarşamba 18:02
  • Yep users have cleared cache and cookies and everything in IE.  Still no good :(

    Had user verified and yes the SharePoint site is in their "Local intranet" zone.

    Site is set to use Integrated Authentication.

    Users are not getting an IIS Access Denied.  They are getting a SharePoint access denied.  They can access other SharePoint sites (like the root of the site) with no problems.  Just this one site they are having issues with.
    Billy S.
    17 Mart 2010 Çarşamba 18:52
  • Does the homepage contain any of the web parts that you installed on the weekend?

    If so, have you tried removing them from the page and seeing if that makes a difference?
    • Yanıt Olarak İşaretleyen Billy Strader 17 Mart 2010 Çarşamba 19:19
    17 Mart 2010 Çarşamba 19:15
  • Paul - Funny you mention that... just found an article talking about Custom Controls... and so I disabled all the web parts I added this weekend to that site they were having issues with and amazingly they can now access the site.  So with the user testing I re-enabled one web part at a time.  The web part that is breaking things is "Quick Launch Extender"... so I will be having that one removed from the system until things can be determined why it is breaking stuff.

    Thank you all for help me look into these issues.  I truely appricate it :)
    Billy S.
    17 Mart 2010 Çarşamba 19:19
  • Damn third party software! Though I must say that Quick Launch Extender does look pretty cool.
    17 Mart 2010 Çarşamba 19:30