none
Sharepoint 2010 - Access Denied to root site - can load default.aspx fine though

    Question

  • I am a new Sharepoint Admin and have quickly run into a brick wall with the environment I have inherited here.  We have a Sharepoint 2010 Server using Claims Authentication.  We have internal Windows users and external AspNet users outside our organization.  This has been up and running fine for over a year before i got here.  All of a sudden earlier this week, no one could get to the site (ex. extranet.company.com).  They would get greeted with the login screen as usual, but once they authenticated, they are given an 'Error: Access Denied' by Sharepoint.  More specifically, they get this URL: Name=Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Ecompany%2Ecom)

    Here is a snippet of the transaction after I login from a SharePoint LogViewer I downloaded:

    • Entering monitored scope (Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Ecompany%2Ecom))
    • Name=Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Ecompany%2Ecom)
    • Site=/
    • Leaving Monitored Scope (Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Ecompany%2Ecom)). Execution Time=70.6248978571299

     

    Even with Farm Admin or Site Collection Admin, I get the same error.  However -- anyone can simply go to extranet.company.com/default.aspx and it loads up fine after they are prompted for authentication.  They can also go to extranet.company.com/sitepages/home.aspx  (I believe this is actually the page the should seem, it essentially the same as the /default.aspx).   The root site is a basic Team Website.

    • I've scoured through all the permissions and didn't see anything missing (anonymous is disabled on this site)
    • I did a default.aspx?contents=1 and tried disaabling the 3 webapps on the page and still got access denied when I tried to load the root site
    • Rebooted server
    • Adjusted the SuperUser account from the default Local System account to a domain account with Full Control over the webapp (i verified I used the correct syntax on the account name since I am using Claims based)
    • I've poked around in Designer and didn't see any files checked out.  None of the site files have been modified in over a year.

    I am almost tempted to delete the extranet.company.com WebApp and recreate it but I don't know the implications.

    Is there anything I am missing?  Something in IIS I should be looking for?  Thanks in advance if you made is this far.  I am very new to this job and already I won't let this issue go.  The users aren't dead in the water, if they use a bookmark to the actual sitepages/home.aspx they are fine.  It would just be nice to be able to use the normal extranet.company.com URL again. 

    Thursday, August 18, 2011 12:14 PM

Answers

  • I think I may have stumbled upon a fix.  For the hell of it, I enabled anonymous authentication on the problem root app.  I then noticed I was able to login correctly.  I then went back into the webapp and removed the anonymous access setting and was still able to get into the site without having to specify a sitepages/home.aspx in the URL.  So I think I am fine now -- not quite sure why toggling that fixed anything?  Should I be concerned or chalk it up to a fluke and move on?

     

    Thanks again to everything that took the time to respond, I appreciate it.

    • Marked as answer by cmille34 Monday, August 22, 2011 12:34 PM
    Friday, August 19, 2011 3:02 PM

All replies

  • This does not sound like a permission issue since you can access the pages directly. The above log snippet lacks the actual exception (try with ULS logviewer and search for a correlation if you have one). If you have made changes either to central admin (ex. alternate access mapping) or to some files (ex. deleted a page that was marked as home) or changed the redirection page (after login) or made changes to IIS (should not), you are likely to end up with similar problems.
    AK
    Thursday, August 18, 2011 2:00 PM
  • Thanks for the quick reply!

     

    I downloaded a different application (ULS Viewer) from CodePlex and here is more of the log from my attempt to log into the root site:

    08/18/2011 10:04:36.76 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://extranet.company.com:80/)) 
    08/18/2011 10:04:36.76 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://extranet.company.com:80/) ec68be3a-a39b-4fab-b789-499310eb0512
    08/18/2011 10:04:36.76 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://extranet.company.com:80/)). Execution Time=2.54361937061833 ec68be3a-a39b-4fab-b789-499310eb0512
    08/18/2011 10:04:36.78 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 
    08/18/2011 10:04:36.78 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Elce%2Ecom)) 
    08/18/2011 10:04:36.78 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Elce%2Ecom) 77c1520c-af37-4b07-ac7d-ff9263a60c26
    08/18/2011 10:04:36.79 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 77c1520c-af37-4b07-ac7d-ff9263a60c26
    08/18/2011 10:04:36.81 w3wp.exe (0x14BC) 0x15D8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://extranet.company.com:80/_layouts/AccessDenied.aspx?Source=http%3A%2F%2Fextranet%2Elce%2Ecom)). Execution Time=17.8447260755208 77c1520c-af37-4b07-ac7d-ff9263a60c26
    08/18/2011 10:04:37.81 w3wp.exe (0x1738) 0x12FC SharePoint Foundation Topology e5mc Medium WcfSendRequest: RemoteAddress: 'http://lcespx01:32843/8d53cad091b344fc8696e449b06f15d3/MetadataWebService.svc' Channel: 'Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges' MessageId: 'urn:uuid:de19942a-6836-4818-b732-471f12e6449a' 
    08/18/2011 10:04:37.81 w3wp.exe (0x01E8) 0x0AF4 SharePoint Foundation Topology e5mb Medium WcfReceiveRequest: LocalAddress: 'http://lcespx01.company.com:32843/8d53cad091b344fc8696e449b06f15d3/MetadataWebService.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges' MessageId: 'urn:uuid:de19942a-6836-4818-b732-471f12e6449a' 071c748c-353f-4f99-9dde-2491b0a4fbac
    08/18/2011 10:04:37.81 w3wp.exe (0x01E8) 0x0AF4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (ExecuteWcfServerOperation) 071c748c-353f-4f99-9dde-2491b0a4fbac
    08/18/2011 10:04:37.81 w3wp.exe (0x01E8) 0x0AF4 SharePoint Server Taxonomy fuc5 Medium MetadataWebServiceApplication.GetChanges called on 'Managed Metadata Service' starting. 071c748c-353f-4f99-9dde-2491b0a4fbac
    08/18/2011 10:04:37.81 w3wp.exe (0x01E8) 0x0AF4 SharePoint Server Taxonomy fuc6 Medium MetadataWebServiceApplication.GetChanges called on 'Managed Metadata Service' completed. 071c748c-353f-4f99-9dde-2491b0a4fbac
    08/18/2011 10:04:37.81 w3wp.exe (0x01E8) 0x0AF4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (ExecuteWcfServerOperation). Execution Time=2.69056542102418 071c748c-353f-4f99-9dde-2491b0a4fbac

    The end users that have been managing this site have pretty much full control.  I got pulled into troubleshooting this yesterday.  I don't believe the end user has access to Central Admin, but they do have access to Designer and did tell us that they had been using it.  Naturally, they could offer no explanation of what they were doing in it. 

    Is there anything I can do to crank up the logging to see what object or page is generating the Access Denied? Is there somewhere I can check to see what homepage it is trying to redirect to?  As far as I know, this hasn't been touched.

    Thursday, August 18, 2011 2:15 PM
  • Another thing you could do is use Fiddler to see if a specific item on the home page is causing the trouble.  I've seen it happen before that one particular element can cause a general security problem for the whole page.

     


    --Paul Galvin, BrightStarr
      Microsoft MVP - SharePoint
      Blogging @ http://www.mstechblogs.com/paul
      Twitter @ http://www.twitter.com/pagalvin
    Thursday, August 18, 2011 2:43 PM
  • Another thing you could do is use Fiddler to see if a specific item on the home page is causing the trouble.  I've seen it happen before that one particular element can cause a general security problem for the whole page.

     


    --Paul Galvin, BrightStarr
      Microsoft MVP - SharePoint
      Blogging @ http://www.mstechblogs.com/paul
      Twitter @ http://www.twitter.com/pagalvin

    I don't see anything really in Fiddler indicating anything that it is unable to access.  Is there anywhere in Sharepoint I can go to confirm where it is redirecting to?
    Thursday, August 18, 2011 2:51 PM
  • try resetting the home page of the site to /default.aspx (or another page you can access if you will).

    Thursday, August 18, 2011 6:47 PM
  • Yes i like this idea, of Steven.

    Try to change the welcome page to another page and see if you are still getting access denied, at least like this you will know why and where to the problem coming from, so you can just solve it.

    To change the welcome page do to site actions > site settings > under look & feel there is welcome page.

     


    Mai Omar Desouki | Software Consultant | Infusion | MCP, MCTS, MCPD, MCITP, MCT Microsoft Certified Trainer & MCC Microsoft Community Contributor | Email: mai_omar_86@live.com | Blog: http://moresharepoint.wordpress.com
    Thursday, August 18, 2011 7:08 PM
  • try resetting the home page of the site to /default.aspx (or another page you can access if you will).


    I tried doing this in Sharepoint Designer as I stumbled across a similiar suggestion somewhere - I set the default.aspx as the "Homepage" but that didn't seem to help.  When I go into the Site --> Site Settings --> Look and Feel, I only get the following options:

    Look and Feel


    •Title, description, and icon
    •Quick launch
    •Top link bar
    •Tree view
    •Site theme

    Am I not in the right place?  Thanks again for all the help - I really hope we can figure this out.

    Thursday, August 18, 2011 7:17 PM
  • You do not seem to have the publishing feature enabled, so you will not see a [welcome page] item under look and feel. Also, you may have the feature [wiki page as homepage] disabled.
    Open the /sitepages/home.aspx (extranet.company.com/sitepages/home.aspx), click on Page (from the ribbon) then click Make Homepage (page actions section). That should make sure you have a pre-set homepage.
    AK
    Friday, August 19, 2011 8:10 AM
  • You do not seem to have the publishing feature enabled, so you will not see a [welcome page] item under look and feel. Also, you may have the feature [wiki page as homepage] disabled.
    Open the /sitepages/home.aspx (extranet.company.com/sitepages/home.aspx), click on Page (from the ribbon) then click Make Homepage (page actions section). That should make sure you have a pre-set homepage.
    AK


    I did this through the browser this time (I did it a couple days ago through Designer) as the Site Administrator account, it showed in the top right hand corner of the browser that it was now set as the home page.  I can browse directly to it but when I try to access the mail URL extranet.company.com, it authenicates me and then gives the access denied error still.  Any other ideas?

     

    Thanks again for all the help. 

    Friday, August 19, 2011 11:25 AM
  • I noticed on the Sharepoint server, Windows updates was run on it this past weekend and 2008 R2 SP1 was installed. It could be a coincidence that Windows updates were run and then we had this strange issue reported on Monday morning.  Just wanted to share that additional information in case it was helpful to anyone.
    Friday, August 19, 2011 12:01 PM
  • Now, what i am going to say is only for troubleshooting and not a solution but it helps to find the problem to solve it.

    In this same environment, try the following:

    Create new web app and and configure the Claims Authentication for this web app and see if it is working, try to check also if anonymous is working... 

    And see how it is going.

    If it worked, then Win 2008 SP1, has nothing to do with it, and you need to check the configuration done to the extranet web app again, step by step.


    Mai Omar Desouki | Software Consultant | Infusion | MCP, MCTS, MCPD, MCITP, MCT Microsoft Certified Trainer & MCC Microsoft Community Contributor | Email: mai_omar_86@live.com | Blog: http://moresharepoint.wordpress.com
    Friday, August 19, 2011 1:22 PM
  • Now, what i am going to say is only for troubleshooting and not a solution but it helps to find the problem to solve it.

    In this same environment, try the following:

    Create new web app and and configure the Claims Authentication for this web app and see if it is working, try to check also if anonymous is working... 

    And see how it is going.

    If it worked, then Win 2008 SP1, has nothing to do with it, and you need to check the configuration done to the extranet web app again, step by step.


    Mai Omar Desouki | Software Consultant | Infusion | MCP, MCTS, MCPD, MCITP, MCT Microsoft Certified Trainer & MCC Microsoft Community Contributor | Email: mai_omar_86@live.com | Blog: http://moresharepoint.wordpress.com


    Thanks for your help!  I did as you suggested, I created a new webapp on a different port and made it a Team Site.  It seems to work fine.  I created a new App Pool rather than re-use an existing - do you think I need to create another test one and re-use the same App Pool?

     

    Should I delete the extranet.company.com web application and simply recreate it and re-attach it to the existing content DB?  I am very hesitant to do this because I am not really familair with the implications.  Is this a last ditch effort type of thing?  Is there something else I can try?

    Friday, August 19, 2011 2:41 PM
  • I think I may have stumbled upon a fix.  For the hell of it, I enabled anonymous authentication on the problem root app.  I then noticed I was able to login correctly.  I then went back into the webapp and removed the anonymous access setting and was still able to get into the site without having to specify a sitepages/home.aspx in the URL.  So I think I am fine now -- not quite sure why toggling that fixed anything?  Should I be concerned or chalk it up to a fluke and move on?

     

    Thanks again to everything that took the time to respond, I appreciate it.

    • Marked as answer by cmille34 Monday, August 22, 2011 12:34 PM
    Friday, August 19, 2011 3:02 PM
  • I've seen something similar but this was based on that the sharepoint content DB had been moved from another server and had some page templates and features that looked at the old URL as they had been coded with the full URL instead of using AAM. 

    I tried to use Fiddler but it didn't find anything - i had to go through each features, team them off and back on until i found the issue. It was a page template looking at the old server URL.

    Alex 

    Friday, August 19, 2011 3:08 PM
  • Because Sharepoint copies the user information from Active Directory, on a one time basis, an error on this user profile will continue to misbehave.  I decided to delete the user from sharepoint entirely, re-add them to the proper groups, and it seemed to work.  The All-People link in Sharepoint 2010 is no longer visible, but you can get there by going here:

    http://<yoursite>/_layouts/people.aspx?MembershipGroupId=0&FilterField1=ContentType&FilterValue1=Person

    Monday, April 02, 2012 7:04 PM
  • I have been able to fix this by removing all "Authenticated Users" from all groups, did that for all users, too. Then I readded the authenticated users again.

    I have my Super Reader and Super User configured, but had this error. After removing users and adding them, things got fixed.

    Wednesday, April 25, 2012 6:28 PM
  • Unbelievable -- fixed my problem too.  We use forefront TMG and UAG in our enviroment and I'm convinced this is some weird workaraound to correct a mis-configuration there but I've yet to get verifcation from team which supports.   Anyway thanks very much.
    • Edited by edbob40 Wednesday, July 18, 2012 3:41 AM typo
    Wednesday, July 18, 2012 3:41 AM
  • Hi,

    I am facing same issue.

    I enabled anonymous authentication on webapp. I still see the issue. Please let me know if there are any more steps to resolve this issue.

    Regards,
    Ojas Maru (My blog)

    Friday, November 30, 2012 11:15 AM
  • This was happening for me too.  It turned out that the problem was in IIS.  We have two front end servers and 4 web apps.  Everything was fine on the first WFE, but the second WFE had misconfigured bindings.  So the Access Denied message was coming up intermittently, depending on which WFE was being hit.  I adjusted my host header file to point to the second WFE so I could see which pages were being affected.  It was only the publishing pages - but not all publishing pages were affected.  So, you could still get to other parts of the site if you entered the URL manually, but you couldn't get to the home page or any other pages in the page library.  All users were affected by the Access Denied message - regardless of their actual permissions.  So, even the site collection admin, or a user with Full Control over the entire Web App would get access denied.

    The issue came up when our SSL certificate was getting close to expiring & needed to be updated.  Everything was properly updated on the first WFE, but not so for the second WFE.  The default site had the SSL binding set for its host as well as all hosts, but the SSL certificate was not set on either of them.  The other 3 sites has no SSL set.  I removed all of the SSL bindings, added the SSL binding to the default site, this time with no host name defined, but I did set the SSL certificate.  Then I opened up a Command Prompt, went to C:\Windows\System32\inetsrv and used appcmd to set the rest of the SSL bindings.

    appcmd set site /site.name:"**insert site name here**" /+bindings.[protocol='https',bindingInformation='*:443:**insert.host.here**']

    Monday, February 04, 2013 8:39 PM