Technology Tips and News
user cannot create a sub site even if the user has full permission.(i tried even giving full permission at the roort site)
It gives an error "Sorry, you don't have access to this page ". Only site collection administrators can create a new sub site.
The error occurs when i try to create a team site or project site but creating a new blog site doesnt have any problem.
I am using SharePoint 2013 with SP1
Can anybody help me in this
1. Check if you see something in the ULS logs
2. Check Users permission in Site settings > permissions
3. Create a new Permission level and add Create subsite option. Add user to this permission and check if you face same issue
http://office.microsoft.com/en-in/sharepoint-server-help/edit-create-and-delete-permission-levels-HA101805381.aspx
What my understanding here is, Users permission to the site has been broken, may be while creating your blog site.
In normal behavior of SharePoint it should not happen. But some time its behavior will put you in puzzle.
Anyhow, what you can do here is, just delete the user from the site and add them again with same permission.
One time it happened with me also. So, readding the user solved my problem.
Thanks,
Check Central Administration->Application Management->Manage web application->User policy for your web application to see the list of users/groups who have user policy set for a hole WA. If user can belong to any of group in that list - check permission level.
Also check User Permission in the same place - whether checkbox "Create subsites" is checked.
All permissions are checked. Here is the user policy screen. Appreciate ur quick response
I dont think that central admin steps is the problem, from the above statement earlier user was able to create sub-site(This rubeesh can confirm).
Just try my step and check.
Thanks,
The problem is not with just one user. Its for all users except site collection admins.
This is the first time any user tried to create a sub site after UPGRADE from SP 2010, last month.
Everything works fine in the test environment, which was also upgraded from 2010 using the same database.
note: Both production and test environment are having the same configuration. The only difference is that in the production i configured my site in the same site collection and in test its not configured
Let's look into deeper details:
When you try to create site, the page /_layouts/15/newsbweb.aspx is opening. I guess you can open it but there is an error on submitting. What occurs on the error in ULS log?
Yes the page /_layouts/15/newsbweb.aspx is opening. The issue is on submitting
From the Log i couldn't figure out much. It only says Could not retrieve a valid windows identity for username(This is same for all the users). But everything works fine if the user is a part of site collection administrator.
A section of the log:
2014 17:49:14.49 w3wp.exe (0x0718) 0x06FC SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'AGFUND-NETWORK\Rubeesh' with UPN 'Rubeesh@agfund.net'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied Server stack trace: at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer() at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer() at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName() at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo) at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings) at System.ServiceModel.Channels.NamedPipeCo... ca138a9c-5e6c-1039-692e-76e5e7893877Interesting. At first, check whether Claims to Windows Token service is running.
And there is the similiar problem:
Claims to Windows Token service is stopped in the front end and app servers.
Even in test server this service is stopped and there i dont have any problem in creating sub site.
I have configured my site in the same web application of the site, cud this be a problem
I read through your case again. I have noticed you are upgraded from SP2010. I guess, you had classic auth in SP2010 and now you have claims auth.
1. Please try to run Claims to Windows Token service (on both front end/app servers). It costs nothing to you.
2. Have you performed a user migration using standard PowerShell script?
$wapp = Get-SPWebApplication http://<your root site here> $wapp.MigrateUsers($true)
are you using the Publishing template? then Style Resources Readers & Restricted Reader group will be there.
Make Sure both Groups have the permission with limited access and restricted read on Pages Library and Style Library.
The problem is when creating a collatbration sites like team site, project site or community site.
There is no issue when creaing publishing site, blog,document center,search center etc
Regarding ur replay
"Make Sure both Groups have the permission with limited access and restricted read on Pages Library and Style Library". I have tried this and even tried with full access, but no positive result
I have created a new site collection and the issue remains same. Only the user who has full control at web application user control can create the team site
I think the issue is related to seattle master file page.
now i cannot access the root site as http://intranet/ (gives me acces denied error)instead i have to type the complete url of home page http://intranet/SitePages/Home.aspx
Default master page is seatle.master
seattle master page inherits from master page library. I have even tried giving full access, but didn't work.
The access denied error on accessing the root site was solved by setting the key in web config file aspnet:AllowAnonymousImpersonation to false
But still the error on creating team site or project site remains same.
couple of things to test.
1) do you have a saperate web application, try to create a team site collection then try to create subsite
2) what is your main template for the root Site collection? if it is publishing, try to create a new site collection with Team Site template then test it.
then its more about the Web App level or even farm level.
try to reset the Object Cache. if it fixed fine otherwise.go for sp1 upgrade.
As you mentioned in the initial post that you are sp2013 with SP1, 1st release of SP1 having alot of issues, so i would recommend , go ahead and install the re-release version of SP1 from here.
Ooook i wil try this. The strange thing is that our test server works fine, but its single server installation.
Thankz man.
Hi Rubeesh,
Try permissioning 'everyone' read access and your timer service account 'full control' to the following list. I ran across this issue in the past and that resolved the issue.
http://{Your root site URL}/lists/taxonomyhiddenlist/AllItems.aspx
Hope this helps! Could you find an article on this but check this thread out.
thanks!
You said, "users with full control to web app can create subsite"
So it is access problem, obviously. Try again to create a subsite (from non-full control user) and watch ULS for any "Access denied" type of errors. Maybe we miss something.
Hi rubeesh,
I'm having exactly the same issue where you able to find a resolution?
I read through the proposed answers, and I once had something similar.
Let me suggest something totally different: Check "Self Service Site Creation". If it is OFF, it explains your phenomena. Users cannot create sites when it is OFF, but Admins can. Many companies set this OFF, so users don't go crazy creating a sprawl of sub-sub-sub-sites. What you need is to turn it ON.
-mrkcc
And it is only visible in the users's sites page, as shown here, No?: http://blogs.technet.com/b/speschka/archive/2012/07/27/configuring-self-service-site-creation-in-sharepoint-2013.aspx
I think this may be the root cause of the problem.
I also configured mysites on the same web application but moved to its own later, seemed this issue started around this time.
Tested with it on and off on mine with no success.
It only effects some site templates too not all.
No it is a OTB master page.
I believe I've now resolved the problem in my case.
I deleted my current mysites host and also UPS (including corresponding databases) recreated both (make sure mysites is on its own webapp). I then performed a restarted of all WFE and App servers in farm then performed a Full Profile Synchronization and finished setting up mysites in UPS.
Now a site owners can create subsites (from their subsite of the root site) with just site owner permission of that site.
No special permissions are being applied from the top level site and Self Service site creation is off.
Great ... This fixed my issue also.
Worked even without recreating UPS. just changed the my site config in the UPS to the new my site host
Yes, check the 2013 links in the vertical menu on the left, click Site Contents, scroll all the way down, and find there "+ New Subsite". You can have "Self Service Site Creation" set ON for some Site Collections and OFF for others. IE: Make sure it is ON for all Site Collections, not just one.
I have the same problem. I am troubleshooting and have some findings that may help others. To recap the problem, I have one specific site collection in which the site collection administrators can create sub sites using the "Team" site collection (Template STS#0) but other users who are members of the Owners group (and therefore have "Full Permission" cannot create sub-sites using the Team site template with a result "Sorry this site hasn't been shared with you" and the subsite does not exist.
Note that the ULS logs clearly show SharePoint successfully created the subsite and encounters an error later after applying the STS#0 template. The ULS message " Successfully applied template "STS#0" to web" clearly indicates the site was created ok and the template applied. We can therefore rule out the theory that users in the Owners group do not have enough permission ("Check User permissions...etc.") to create subsites, both because users can get to the Create Site page ok and because they can create subsites that use a different templates ok.
We can also rule out the theory that you should have Claims to Windows Token service running. This cannot be the issue -- at least in my case -- because I have two other site collections in the same farm in the same Web Application where the problem does not occur. Users who are members of the Owners group can create Team sub-sites just fine in those other site collections (and I don't have Claims to Windows Token service running).
Like you, I became suspicious of Claims Authentication because of the entry in the ULS log that rubeesh also had that says, "Claims Authentication SPSecurityContext: Could not retrieve a valid windows identity for username <then my user name appears here>".
However, that Claims Authentication ULS log entry comes only *after* the killer "Unexpected Exception attempting to ApplyWebTemplate to SPWeb"
Going back in the ULS log, it seems the first sign of trouble is the entry that says, "SharePoint Portal Server Content Following Unexpected Could not follow the url <the url of my failed subsite appears here>"
Finally, I decided there must be something wrong with my site collection. (I know, duh.) I created a new site
collection in the same farm in the same web app using the same template and the same content db as the broken site collection. I created the standard permission groups (Owners, etc.) just like the broken one, and added users including myself to that new site
collection owners group. Using this new site collection, I successfully created a subsite using my credentials and specifying the Team site template. NOTE: I did not have to delete the MySite Host or re-create my User Profile Synch. Now I am using
Metalogix Content Matrix to copy all the subsites from the broken Site Collection to the fixed site collection and will have to deal with the changed URL somehow. Hope this helps.
I faced the same issue yesterday and the below solution worked for me
Gave read access for SharePoint Taxonomy Hidden List for all authenticated users operating within the site collection.
you can find that list by browsing directly to - /Lists/TaxonomyHiddenList.
The post is old but just posting so that it helps others.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier