locked
Access Denied to Web Application RRS feed

  • Question

  • Hello.  My organisation had Windows SharePoint Services 3.0 (WSS 3.0) running on Server 2003 R2 Standard.  The installation used SharePoint databases on another Server 2003 R2  Standard server running SQL Server 2005.  I created a new server running server 2012 R2 Standard, SQL Server2008 Express R2 and Sharepoint Foundation 2010 SP2.  To make a long story short, I managed to migrate the WSS 3.0 to this new server.  Everything was working fine.  

    I backed up the SharePoint Foundation 2010 databases and SharePoint Foundation 2010 SP2 itself.  I then removed SharePoint Foundation 2010 SP2.

    I installed SQL Server 2014 SP1 and SharePoint Foundation 2013 SP1.  I now have SharePoint Foundation 2013 SP1 pointing to databases on SQL Server 2014 SP1.  When I try to browse to http://servername or http://servername/default.aspx, both of which worked with SharePoint Foundation 2010, I receive an Access Denied message.  I get this locally on the server with my domain administrator account, and when I try to browse to it from my workstation using my regular domain user account.  I have reviewed logs, searched the web, etc., etc., etc., but I am not able to resolve this.  If you have any insights or troubleshooting strategies on this, please share them with me.  Thanks.


    Friday, March 4, 2016 5:51 PM

Answers

  • The original Access Denied message was due to the fact that the web application being migrated from SharePoint Foundation 2010 used classic authentication rather than claims authentication.  By default, SharePoint Foundation 2013 uses claims authentication.  The solution was to delete the existing web application in SharePoint Foundation 2013, and to replace it with one that used classic authentication.  The following web site was used as a guide for doing  that.

    http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2013/02/05/create-web-applications-that-use-classic-mode-authentication-in-sharepoint-2013-with-windows-powershell.aspx

    The File not Found message that then appeared was due to a corrupted v4.master page.  A new web application was created, and the v4.master used by it was copied to a temporary folder.  SharePoint Designer was then used to import the v4.master into the web application using classic authentication.  The content then displayed properly on the pages.

    • Marked as answer by skisdsupport Wednesday, March 16, 2016 9:40 PM
    Wednesday, March 16, 2016 9:39 PM

All replies

  • Hi,

    I assume your web application in 2010 is claims based web application.  Did you ran the User Migrate script to convert all windows users to claims? Please use the below script and run it against your web application.

    $account = "Domain\User"
    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
    $wa = get-SPWebApplication $WebAppName
    $zp = $wa.ZonePolicies("Default")
    $p = $zp.Add($account,"PSPolicy")
    $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
    $p.PolicyRoleBindings.Add($fc)
    $wa.Update()
    
    $wa.MigrateUsers($true)
    $wa.ProvisionGlobally()

    Next Open Central Administration -> Manage Site Collections -> Change Site Collection Administrator -- Make sure you type in your admin account against the site collection you just upgraded.  You also have to perform Visual upgrade of the sites in the content database.

    https://technet.microsoft.com/en-us/library/ff607998%28v=office.14%29.aspx

    Then Please create and assign SharePoint Cache Accounts CacheSuperAdmin, CacheSuperReader

    https://technet.microsoft.com/en-us/library/ff758656%28v=office.14%29.aspx

    Perform an IISRESET and Test again.  Best of Luck.


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    Friday, March 4, 2016 7:09 PM
  • Hello Jerry. Thank you very much for the prompt response.  That is greatly appreciated.

    The web application that existed in SharePoint Foundation 2010 used the default authentication settings.

    I have no SharePoint training, and virtually no experience with SharePoint, other than inheriting the system I described. Please explain to me how and were to run the script you provided. Once I have that taken care of, I'll address the rest of the steps you identified.  Thanks!!


    • Edited by skisdsupport Friday, March 4, 2016 7:49 PM incomplete
    Friday, March 4, 2016 7:43 PM
  • You have to run the script inside SharePoint Management Shell.

    Login to SharePoint Server as Farm Account.

    Start -> All Program --> SharePoint 2010 PRoducts -> Right Click on SHarePoint 2010 Management shell -> Run as Administrator.

    Copy the below script in notepad and replace yourwebappurl with Url of your web application.  Then paste it inside Management shell.

    $account = "Domain\User" $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString() $wa = get-SPWebApplication http://yourwebappUrl

    $zp = $wa.ZonePolicies("Default") $p = $zp.Add($account,"PSPolicy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update() $wa.MigrateUsers($true) $wa.ProvisionGlobally()

    Once this is done go to next step.


    Jerry Yasir - Office Server & Services MVP/MCT Hewlett Packard Enterprise - If this reply helped you resolve your issue, please propose as answer. It may help other community members. Thanks!

    Friday, March 4, 2016 7:48 PM
  • Hi Jerry.  About a month ago, the Search functionality stopped working in the original WSS 3.0 system.  That was resolved through a support case with Microsoft.  During that support case, I was able to get Microsoft to help me develop a migration plan.   Part of that plan included backing everything up and then uninstalling SharePoint Foundation 2010 once everything was up and running in it.  Since I have removed SharePoint Foundation 2010, and installed SharePoint Foundation 2013, can I run this in the SharePoint 2013 Management Shell?  If not, please advise me on how to proceed.  Thanks again.
    Friday, March 4, 2016 8:04 PM
  • You will have to setup site crawling for your SP sites.

    Once your sites are crawled and you have a search service setup you will be able to search.

    Friday, March 4, 2016 8:15 PM
  • Hello.  Thank you for the suggestion.  I have set up search and done a full crawl, but that made no difference.  Please let me know what you think I should try next.  Thanks!!
    Friday, March 4, 2016 8:42 PM
  • Hi skisdsupport,

    You could run the scripts in 2013 management shell directly.

    In addition, did you set you Object cache user(Super User and Super reader properly? If not please set it. Add them in policy for web app.

    Step 1 Super User should have Full control on web app
    Super Reader account should have Full read on web app

    Step 2 Then run the below powershell to fix it.( make sure you use the claim identifier when running the below commands, other wise you will get access denied again. Cliam:domain\username.

    $wa = Get-SPWebApplication -Identity "<WebApplication>"
    $wa.Properties["portalsuperuseraccount"] = "<SuperUser>"
    $wa.Properties["portalsuperreaderaccount"] = "<SuperReader>"
    $wa.Update()

    https://technet.microsoft.com/en-us/library/ff758656%28v=office.14%29.aspx

    Step 3: Reset IIS on all servers

    Please refer to the links for details:
    http://underthehood.ironworks.com/2011/05/sharepoint-2010-access-denied-for-users-that-have-full-control-on-the-site.html

    http://sharepoint.stackexchange.com/questions/87281/access-denied-from-migrated-sp2010-2013-web-app

    Best Regards,

    CY


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 7, 2016 6:22 AM
  • Hello CY.  Thank you very much for the informative and well-organised response.

    I have created two ordinary domain accounts, one the Super User, and the other the Super Reader.  Through Central Administration, Application Management, Manage Web Applications, I gave the Super User account Full Control and Super Reader Full Read.

    I copied and pasted the following block of commands into an Administrative SharePoint Foundation 2013 Management Shell.  It didn't appear to do anything.

    $w = Get-SPWebApplication "http://<MYserver>/"
    $w.Properties["portalsuperuseraccount"] = "i:0#.w|MYdomain\MYsuperuser"
    $w.Properties["portalsuperreaderaccount"] = "i:0#.w|MYdomain\MYsuperreader"
    $w.Update()

    Lastly, I did an IISRESET.  After all of that, I still don't have access to the web application.  Somewhere during the troubleshooting, the Access Denied error was replaced with an HTTP 404 File not Found error.  I'm still getting that.

    I'm looking forward to hearing your suggestions on what to try next.  Thanks!!

    Monday, March 7, 2016 3:59 PM
  • I may have resolved the issue.  My SharePoint Foundation 2010 home page was at http://servername.  When I tried that in the SharePoint Foundation 2013 installation that replaced the 2010 one, I initially received Access Denied, and then, after much troubleshooting HTTP 404 File Not Found.  For reasons I am not aware of, I can browse to http://servername/sites/MyDomainName without any errors.

    The problem now is that the content is not there.  When I used stsadm to add the content database, the operation completed successfully, but the content is simply not visible.  I am also unable to start a full crawl through STSADM.  When I try I receive a message stating "Object reference not set to an instance of an object".

    If you have any troubleshooting suggestions, please pass them onto me.  Thanks!!

    Monday, March 7, 2016 5:07 PM
  • Hi

    Check if the sites collection has be restored in your new server
    Go to Central Administration, Central Administration > Application Management > Click on Content Databases
    On right hand side select the newly created web application if not already present

    Check the No. of sites in the site collection if its showing same no. that you had in your Restored Content DB webapplication.

    If still the new restored Content DB is showing "Current Number of Sites" is 0
    Then there might be an existing Content DB id in your sharepoint installation configuration DB.
    Here is the workaround. First find out the Id of the sites (site collection) in the [restored_db].Sites then delete the line in the [Config_db].SiteMap with the same Id. Now attach the content_db and you should see the sites.
    Or what you can do is change the ID inside the [config_db].SiteMap to something else, maybe change a number.

    Wednesday, March 16, 2016 9:17 AM
  • The original Access Denied message was due to the fact that the web application being migrated from SharePoint Foundation 2010 used classic authentication rather than claims authentication.  By default, SharePoint Foundation 2013 uses claims authentication.  The solution was to delete the existing web application in SharePoint Foundation 2013, and to replace it with one that used classic authentication.  The following web site was used as a guide for doing  that.

    http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2013/02/05/create-web-applications-that-use-classic-mode-authentication-in-sharepoint-2013-with-windows-powershell.aspx

    The File not Found message that then appeared was due to a corrupted v4.master page.  A new web application was created, and the v4.master used by it was copied to a temporary folder.  SharePoint Designer was then used to import the v4.master into the web application using classic authentication.  The content then displayed properly on the pages.

    • Marked as answer by skisdsupport Wednesday, March 16, 2016 9:40 PM
    Wednesday, March 16, 2016 9:39 PM
  • Have you finished upgrading from classic to claims? If not then you should strongly consider it.

    Whilst you can, in theory, run in classic authentication mode it's not a supported state and you will find various other components such as OWA will fail.

    The 'Access denied' stuff is typically seen when someone makes a mistake migrating from 2010 classic to 2013 claims but it is generally fixable.
    Wednesday, March 16, 2016 9:58 PM