Interestingly one fine day, I created a new site collection with me as site collection Administrator in one of the Web Application in Production environment, and tried to access the site from my local machine. I was navigated to "Access Denied" page.
Well I am the site collection administrator. Not sure why this is happening all of sudden, I did the IISRESET on both the WFEs thinking that may be this is causing due to some cache from the IIS. Well again tried my luck here still having the same message. Then i checked the event viewer. Below is the event viewer message
Event Type: Error
Event Source: Office SharePoint Server
Event Category: Office Server General
Event ID: 7888
Date: 1/27/2011
Time: 10:15:07 AM
User: N/A
Computer: ITECOMP
Description:
A runtime exception was detected. Details follow.
Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Techinal Details:
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.AddOrUpdateItem(String bstrUrl, String bstrListName, Boolean bAdd, Boolean bSystemUpdate, Boolean bPreserveItemVersion, Boolean bUpdateNoVersion, Int32& plID, String& pbstrGuid, Guid pbstrNewDocId, Boolean bHasNewDocId, String bstrVersion, Object& pvarAttachmentNames, Object& pvarAttachmentContents, Object& pvarProperties, Boolean bCheckOut, Boolean bCheckin, Boolean bMigration, Boolean bPublish)
at Microsoft.SharePoint.SPListItem.AddOrUpdateItem(Boolean bAdd, Boolean bSystem, Boolean bPreserveItemVersion, Boolean bNoVersion, Boolean bMigration, Boolean bPublish, Boolean bCheckOut, Boolean bCheckin, Guid newGuidOnAdd, Int32& ulID, Object& objAttachmentNames, Object& objAttachmentContents, Boolean suppressAfterEvents)
at Microsoft.SharePoint.SPListItem.UpdateInternal(Boolean bSystem, Boolean bPreserveItemVersion, Guid newGuidOnAdd, Boolean bMigration, Boolean bPublish, Boolean bNoVersion, Boolean bCheckOut, Boolean bCheckin, Boolean suppressAfterEvents)
at Microsoft.SharePoint.SPListItem.Update()
at Microsoft.SharePoint.Publishing.Internal.LongRunningOperationJob.<>c__DisplayClassb.b__1()
at Microsoft.Office.Server.Diagnostics.FirstChanceHandler.ExceptionFilter(Boolean fRethrowException, TryBlock tryBlock, FilterBlock filter, CatchBlock catchBlock, FinallyBlock finallyBlock)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Then i tried accessing the existing sites. I can access those but there are issue in the existing sites
- Unable to activate / deactivate any of the features. When trying to Activate / De-activate it was navigating to the "Access Denied" page.
- Unable to run the OOTB SharePoint workflows.
- Unable to change the master pages. When trying to change the master pages from the Site Actions --> Modify all site settings, it was navigating to "Access Denied" page.
Then from the threads i even tried following things
dcomconfg settings and the "Disable Loop back check" options. Well that still didn't resolve this issue. One of the thread suggested to give the content access account full control access at the web application level. I applied that setting by following steps
a) Go to SharePoint Central Administration
b) Under the "Application Security" section click on "Policy for web application".
c) Make sure right web application is selected from the drop down at the right side of Menu bar
d) Click on the service account that is used for content access and make sure that account has "Full Control" permissions. Click Ok.
After these operations
- No Access Denied message while accessing newly created site collections
- No Access Denied message while changing the Master pages.
- No Access Denied message while activating /deactivating any of the features.
Hence we applied this as temporary fix. But this is the typical scenario, since all the other web applications have content access account "Full Read" permissions at the web application level. Something tells me this is not right fix and there should be some permanent fix or somethings that needs to be rechecked.
After some days we installed Nintex on the Production environment. In all sites in other web applications users are able to use the Nintex except for this web application where i applied this Temporary fix for Access Denied Issue. And even users complained that they are unable to use Simple OOTB Approval Workflow in the SharePoint. I checked the logs while running the workflows at that instance(Nintex). The status of the workflow sayd "Failed On Start" and the detailed message says "Workflow Cancelled by service SharePoint SSP account". Below is the log information from the SharePoint logs.
01/28/2011 00:07:22.16 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Workflow Infrastructure 72fs Unexpected RunWorkflow: System.ArgumentException: Value does not fall within the expected range. at Microsoft.SharePoint.Workflow.SPWorkflowActivationProperties..ctor(SPWorkflow workflow, Int32 runAsUserId, String associationData, String initiationData) at Microsoft.SharePoint.Workflow.SPWinOEWSSService.MakeActivation(SPWorkflow workflow, SPWorkflowEvent e) at Microsoft.SharePoint.Workflow.SPWinOeEngine.RunWorkflow(Guid trackingId, SPWorkflowHostService host, SPWorkflow workflow, Collection`1 events, TimeSpan timeOut) at Microsoft.SharePoint.Workflow.SPWorkflowManager.RunWorkflowElev(SPWorkflow originalWorkflow, SPWorkflow workflow, Collection`1 events, SPRunWorkflowOptions runOptions)
01/28/2011 00:07:22.16 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Workflow Infrastructure 98d7 Unexpected System.ArgumentException: Value does not fall within the expected range. at Microsoft.SharePoint.Workflow.SPWorkflowActivationProperties..ctor(SPWorkflow workflow, Int32 runAsUserId, String associationData, String initiationData) at Microsoft.SharePoint.Workflow.SPWinOEWSSService.MakeActivation(SPWorkflow workflow, SPWorkflowEvent e) at Microsoft.SharePoint.Workflow.SPWinOeEngine.RunWorkflow(Guid trackingId, SPWorkflowHostService host, SPWorkflow workflow, Collection`1 events, TimeSpan timeOut) at Microsoft.SharePoint.Workflow.SPWorkflowManager.RunWorkflowElev(SPWorkflow originalWorkflow, SPWorkflow workflow, Collection`1 events, SPRunWorkflowOptions runOptions)
01/28/2011 00:07:22.24 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Database 880l Verbose ConnectionString: 'Data Source=flnshp2p-sqls.corp.pep.pvt\sqlflnshp2p,60020;Initial Catalog=FLNA_Sales_Content;Integrated Security=True;Enlist=False;Connect Timeout=15' ConnectionState: Closed ConnectionTimeout: 15
Note: Nintex was built on top of the SharePoint designer. Hence if Nintex Works SharePoint workflows works and vice-versa)/.
And below is the event viewer log information
Event Type: Error
Event Source: Windows SharePoint Services 3
Event Category: General
Event ID: 6875
Date: 1/18/2011
Time: 8:46:19 PM
User: N/A
Computer: PRODCOMPWFE1
Description:
Error loading and running event receiver Microsoft.Office.RecordsManagement.Internal.AuditHandler in Microsoft.Office.Policy, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c. Additional information is below.
: Transaction (Process ID 250) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Windows SharePoint Services 3
Event Category: None
Event ID: 0
Date: 1/18/2011
Time: 8:46:58 PM
User: N/A
Computer: PRODCOMPWFE1
Description:
Nintex Workflow; Build: 11100 (http://ProdHostSite/_layouts/NintexWorkflow/preview.aspx?ListId=4aa6b188-b2c2-487b-9995-fff1a99ecc06&ItemId=2&WorkflowId=f3bace1e-d33b-4e78-87e3-040a00528ba2&mode=Runtime&InstanceId=fad57eac-e70b-4ab5-9ec3-9238ad028027)
Cannot find history for workflow with instanceId fad57eac-e70b-4ab5-9ec3-9238ad028027. It may have been removed from the database.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Problems after problems. One fix leading to another issue. Not sure what is going on this environment. I thought this is Nintex issue and contacted them with the above information to look for any suggestions from them. Finally they responded and said that this is not the Nintex issue, moreover this is environment issue and posted the following link
http://blog.ozippy.com/2008/02/sharepoint-2007-workflow-on-start.html. Thanks a Lot to Jeremy and Rodney.
After going through this blog, i finally found the root cause for this error or issue. BINGOOOOOOOOOO.................
The issue here is the IIS App pool account and the SharePoint App pool account are not running under same identity. Hence refreshed the app pool identity of the central admin by following steps
- Check the Application pool identity of the web application from the Internet Information Services Manager .
a) Log in to the WFE and then click on "Start" --> "Run", then in the window type inetmgr
b) Expand the "Application pools" then select the application pool that has the issue right click on it and click on "Identity" tab.
c) Check the "Application Pool" Identity. Below is the screen capture for reference
- Go to SharePoint central Administration and click on the “Operations” tab. Under the “Security configuration” section click on “Service Accounts”.
- In the “Credential Management” section select “Web Application Pool” then select “Windows SharePoint Services Web application”.
- Select “Application Pool” from drop down.
- Select the account as “Configurable” give the service account and respective password.
- Click Ok! these steps refresh the Application Pool Identity.
After I applying these steps there is
- No “Access Denied” message when changing the master pages (Which used to have before)
- No “Access Denied” message while activating and deactivating any feature
- No “Access Denied” message while accessing the newly created sites (for members, owners also for the Site Collection Administrators)
- SharePoint OOTB workflows are running without issues
- Able to Activate Nintex and use it as well
Finally the above steps get rid off this "Access Denied" issue that i have seen so far. This had made my day. In the end i would like to say Happy SharePointing.
Cheers,
Vinay.
Well I am the site collection administrator. Not sure why this is happening all of sudden, I did the IISRESET on both the WFEs thinking that may be this is causing due to some cache from the IIS. Well again tried my luck here still having the same message. Then i checked the event viewer. Below is the event viewer message
Event Type: Error
Event Source: Office SharePoint Server
Event Category: Office Server General
Event ID: 7888
Date: 1/27/2011
Time: 10:15:07 AM
User: N/A
Computer: ITECOMP
Description:
A runtime exception was detected. Details follow.
Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Techinal Details:
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.AddOrUpdateItem(String bstrUrl, String bstrListName, Boolean bAdd, Boolean bSystemUpdate, Boolean bPreserveItemVersion, Boolean bUpdateNoVersion, Int32& plID, String& pbstrGuid, Guid pbstrNewDocId, Boolean bHasNewDocId, String bstrVersion, Object& pvarAttachmentNames, Object& pvarAttachmentContents, Object& pvarProperties, Boolean bCheckOut, Boolean bCheckin, Boolean bMigration, Boolean bPublish)
at Microsoft.SharePoint.SPListItem.AddOrUpdateItem(Boolean bAdd, Boolean bSystem, Boolean bPreserveItemVersion, Boolean bNoVersion, Boolean bMigration, Boolean bPublish, Boolean bCheckOut, Boolean bCheckin, Guid newGuidOnAdd, Int32& ulID, Object& objAttachmentNames, Object& objAttachmentContents, Boolean suppressAfterEvents)
at Microsoft.SharePoint.SPListItem.UpdateInternal(Boolean bSystem, Boolean bPreserveItemVersion, Guid newGuidOnAdd, Boolean bMigration, Boolean bPublish, Boolean bNoVersion, Boolean bCheckOut, Boolean bCheckin, Boolean suppressAfterEvents)
at Microsoft.SharePoint.SPListItem.Update()
at Microsoft.SharePoint.Publishing.Internal.LongRunningOperationJob.<>c__DisplayClassb.
at Microsoft.Office.Server.Diagnostics.FirstChanceHandler.ExceptionFilter(Boolean fRethrowException, TryBlock tryBlock, FilterBlock filter, CatchBlock catchBlock, FinallyBlock finallyBlock)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Then i tried accessing the existing sites. I can access those but there are issue in the existing sites
- Unable to activate / deactivate any of the features. When trying to Activate / De-activate it was navigating to the "Access Denied" page.
- Unable to run the OOTB SharePoint workflows.
- Unable to change the master pages. When trying to change the master pages from the Site Actions --> Modify all site settings, it was navigating to "Access Denied" page.
Then from the threads i even tried following things
dcomconfg settings and the "Disable Loop back check" options. Well that still didn't resolve this issue. One of the thread suggested to give the content access account full control access at the web application level. I applied that setting by following steps
a) Go to SharePoint Central Administration
b) Under the "Application Security" section click on "Policy for web application".
c) Make sure right web application is selected from the drop down at the right side of Menu bar
d) Click on the service account that is used for content access and make sure that account has "Full Control" permissions. Click Ok.
After these operations
- No Access Denied message while accessing newly created site collections
- No Access Denied message while changing the Master pages.
- No Access Denied message while activating /deactivating any of the features.
Hence we applied this as temporary fix. But this is the typical scenario, since all the other web applications have content access account "Full Read" permissions at the web application level. Something tells me this is not right fix and there should be some permanent fix or somethings that needs to be rechecked.
After some days we installed Nintex on the Production environment. In all sites in other web applications users are able to use the Nintex except for this web application where i applied this Temporary fix for Access Denied Issue. And even users complained that they are unable to use Simple OOTB Approval Workflow in the SharePoint. I checked the logs while running the workflows at that instance(Nintex). The status of the workflow sayd "Failed On Start" and the detailed message says "Workflow Cancelled by service SharePoint SSP account". Below is the log information from the SharePoint logs.
01/28/2011 00:07:22.16 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Workflow Infrastructure 72fs Unexpected RunWorkflow: System.ArgumentException: Value does not fall within the expected range. at Microsoft.SharePoint.Workflow.SPWorkflowActivationProperties..ctor(SPWorkflow workflow, Int32 runAsUserId, String associationData, String initiationData) at Microsoft.SharePoint.Workflow.SPWinOEWSSService.MakeActivation(SPWorkflow workflow, SPWorkflowEvent e) at Microsoft.SharePoint.Workflow.SPWinOeEngine.RunWorkflow(Guid trackingId, SPWorkflowHostService host, SPWorkflow workflow, Collection`1 events, TimeSpan timeOut) at Microsoft.SharePoint.Workflow.SPWorkflowManager.RunWorkflowElev(SPWorkflow originalWorkflow, SPWorkflow workflow, Collection`1 events, SPRunWorkflowOptions runOptions)
01/28/2011 00:07:22.16 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Workflow Infrastructure 98d7 Unexpected System.ArgumentException: Value does not fall within the expected range. at Microsoft.SharePoint.Workflow.SPWorkflowActivationProperties..ctor(SPWorkflow workflow, Int32 runAsUserId, String associationData, String initiationData) at Microsoft.SharePoint.Workflow.SPWinOEWSSService.MakeActivation(SPWorkflow workflow, SPWorkflowEvent e) at Microsoft.SharePoint.Workflow.SPWinOeEngine.RunWorkflow(Guid trackingId, SPWorkflowHostService host, SPWorkflow workflow, Collection`1 events, TimeSpan timeOut) at Microsoft.SharePoint.Workflow.SPWorkflowManager.RunWorkflowElev(SPWorkflow originalWorkflow, SPWorkflow workflow, Collection`1 events, SPRunWorkflowOptions runOptions)
01/28/2011 00:07:22.24 w3wp.exe (0x1B50) 0x1458 Windows SharePoint Services Database 880l Verbose ConnectionString: 'Data Source=flnshp2p-sqls.corp.pep.pvt\sqlflnshp2p,60020;Initial Catalog=FLNA_Sales_Content;Integrated Security=True;Enlist=False;Connect Timeout=15' ConnectionState: Closed ConnectionTimeout: 15
Note: Nintex was built on top of the SharePoint designer. Hence if Nintex Works SharePoint workflows works and vice-versa)/.
And below is the event viewer log information
Event Type: Error
Event Source: Windows SharePoint Services 3
Event Category: General
Event ID: 6875
Date: 1/18/2011
Time: 8:46:19 PM
User: N/A
Computer: PRODCOMPWFE1
Description:
Error loading and running event receiver Microsoft.Office.RecordsManagement.Internal.AuditHandler in Microsoft.Office.Policy, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c. Additional information is below.
: Transaction (Process ID 250) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Windows SharePoint Services 3
Event Category: None
Event ID: 0
Date: 1/18/2011
Time: 8:46:58 PM
User: N/A
Computer: PRODCOMPWFE1
Description:
Nintex Workflow; Build: 11100 (http://ProdHostSite/_layouts/NintexWorkflow/preview.aspx?ListId=4aa6b188-b2c2-487b-9995-fff1a99ecc06&ItemId=2&WorkflowId=f3bace1e-d33b-4e78-87e3-040a00528ba2&mode=Runtime&InstanceId=fad57eac-e70b-4ab5-9ec3-9238ad028027)
Cannot find history for workflow with instanceId fad57eac-e70b-4ab5-9ec3-9238ad028027. It may have been removed from the database.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Problems after problems. One fix leading to another issue. Not sure what is going on this environment. I thought this is Nintex issue and contacted them with the above information to look for any suggestions from them. Finally they responded and said that this is not the Nintex issue, moreover this is environment issue and posted the following link
http://blog.ozippy.com/2008/02/sharepoint-2007-workflow-on-start.html. Thanks a Lot to Jeremy and Rodney.
After going through this blog, i finally found the root cause for this error or issue. BINGOOOOOOOOOO.................
The issue here is the IIS App pool account and the SharePoint App pool account are not running under same identity. Hence refreshed the app pool identity of the central admin by following steps
- Check the Application pool identity of the web application from the Internet Information Services Manager .
a) Log in to the WFE and then click on "Start" --> "Run", then in the window type inetmgr
b) Expand the "Application pools" then select the application pool that has the issue right click on it and click on "Identity" tab.
c) Check the "Application Pool" Identity. Below is the screen capture for reference
- Go to SharePoint central Administration and click on the “Operations” tab. Under the “Security configuration” section click on “Service Accounts”.
- In the “Credential Management” section select “Web Application Pool” then select “Windows SharePoint Services Web application”.
- Select “Application Pool” from drop down.
- Select the account as “Configurable” give the service account and respective password.
- Click Ok! these steps refresh the Application Pool Identity.
After I applying these steps there is
- No “Access Denied” message when changing the master pages (Which used to have before)
- No “Access Denied” message while activating and deactivating any feature
- No “Access Denied” message while accessing the newly created sites (for members, owners also for the Site Collection Administrators)
- SharePoint OOTB workflows are running without issues
- Able to Activate Nintex and use it as well
Finally the above steps get rid off this "Access Denied" issue that i have seen so far. This had made my day. In the end i would like to say Happy SharePointing.
Cheers,
Vinay.
Great write-up, I am a big believer in commenting on blogs to inform the blog writers know that they’ve added something worthwhile to the world wide web!.. SharePoint Intranet
ReplyDelete