MOSS Access Denied Error on Windows Authentication
Hi, I installed MOSS 2007 in my company and setting user permissions for each site. Usually I`m using Site Actions > Site Settings > Advance Permissions and Add new AD user or group from there to the site. This way was working for me till yesterday. Yesterday we tried to add a single user to one of the sites. We want that user to only be able to contribute to that site, and all other sites shouldn`t be accessible to him.So I added the user like always but when ever I try to log as him MOSS gives me Access Denied. User Properties:> Sharepoint is using Windows Authentication not Form and NTLM.> User is a AD User. It is under Domain Users group.> There is no problems while finding the user from sharepoint. Sharepoint resolves the user name and adds it.Steps I tried:> Strange thing is user can open Site Settings of the site but not the site itself.> I can login as Administrator or as a regular user that has permissions to the parent site.> There is no inheritance between subsite that I`m working on and it`s parent. So when I add a user, it doesn`t goes up to Parent Site.> When I give permission to parent site user can able to open the subsite. But I want to open just the subsite to the user not the parent site or home of sharepoint.> I tried to create a new site by adding the user to Site Owners and Members, still no luck. User can open Site Settings but not the site itself.> I looked all the Master Page and Style Galleries if there are some missing permissions and also tried to give permissions to that galleries for that user only. Didn`t work.> I looked at Event Viewer, no Errors.Does anyone can think a solution for this situation ? Can Atuf Kansu
February 3rd, 2010 11:05pm

Hi, When you select Windows authentication type, under IIS Authentication settings, you need to select Integrated Windows authentication or Basic authentication. Well, when you select Integrated Windows authentication option, you can set Negotiate (Kerberos) or NTLM. In other words, Basic, Kerberos (Integrated Windows) and NTLM (Integrated Windows) are all belong to Windows authentication method. Form your post, SharePoint is using Windows Authentication not Form and NTLM. It seems that you use Negotiate (Kerberos). Is that right? By default, permissions on lists, libraries, folders, items, and documents are inherited from the parent site. If you want to grant a user an unique permission for your subsite, you can break this inheritance for any securable object at a lower level in the hierarchy by editing the permissions on that securable object (that is, creating a unique permission assignment) . For example, you can edit the permissions for a document library, which breaks the permissions inheritance from the site. For more information about SharePoint : page level permissions, please refer to the following article: SharePoint : page level permissions http://blogs.msdn.com/brettrobinson/archive/2009/04/24/sharepoint-page-level-permissions.aspx For more information about authentication methods, please refer to the following article: Plan authentication methods (Windows SharePoint Services) http://technet.microsoft.com/en-us/library/cc288475.aspx Hope this helps. Rock WangRock Wang MSFT
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2010 8:42am

Thanks foy reply,As you understood correctly, I`m using Windows Authentication but I`m using NTLM rather than Kerberos. As you explained I`m using the same strategy for giving unique permissions for subsites. This was working for me till I got this situation. Right now even if I break the inheritance and add a domain user who is in a AD group that doesn`t have any rights in sharepoint site collection. Sharepoint adds the user but when I try to log as him it says access denied. The strange thing is when I`m in site settings page and log as that user sharepoint accepts that but when I try to open the site itself it says access denied.> Other thing that I found out is when I give permission to parent site that has that subsite, it gives access but it gives access to all subsites under that parent site. So still that isn`t what I intended to do.> So as wrap up, I just want to give access to a user to one subsite in site collection and nothing more. That user isn`t in any of the sharepoint groups in site collection.> By giving a direct link to the user, user will be able to open that subsite and document library in that subsite and nothing more.Thanks,Can Atuf Kansu
February 6th, 2010 8:23pm

1) If inheritance is broken on the sub-sites, theren there's no way that user could access it just by adding to the parent. The fact you twice said this has happened leads to me believe there is a major mistake somewhere. Giving the user rights to the parent in no way can give the user rights to a subsite with broken inheritance unless you made the user a Site Collection Administrator _OR_ if you gave that user rights in Central Admin under Web Application Policy.2) The fact he can get to site settings of the subsite means he DOES have rights. You keep referring to not being able to "open the site," but site settings is just one page of many on the site, so the user definitely can open the site. the question is...where on the site are you trying to go when getting Access Denied? Which page? Is it the same for all pages on that sub-site?3) Check your Web App Policy in Central Admin to see if anything has been set there, because those permissions supercede all permissions inside that web application no matter what you see on the sites themselves.SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2010 12:23am

Do you have any content query web parts on the page? If so, then that may be throwing the error (reading from somewhere else in the collection).
March 1st, 2010 1:14am

Sounds like the access denied is coming from a data source on the page, more likely the master page if its happening on multiple pages. I suspect its a control. Could even be the site map data source. When we isolate a subweb, I always have to add the user to the rootweb as a viewer for it to work. Dont know why. Haven't bothered to investigate the missing piece but it works.Although if I read your post right, you have some subwebs that inherit and others that don't. Its true, all subwebs that inherit would also give access to the user you add on the root web. We avoided this problem by isolating ALL subwebs from the root web.Oh well. Analyze the page thats throwing and look for all data accesses including the ones on the master page.Brian Bedard, MCTS - pioneeringsharepoint.blogspot.com - Twitter:@tigertoy
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2010 2:37am

Yeah, Brian/Tiffany, it has to be something like that in terms of access denied, but that doesn't explain how a user could magically get sub-site access when being added to the top-level and inheritance is broken. I think there are multiple issues going on.SharePoint Architect || My Blog
March 1st, 2010 2:40am

Can,I have also had instances like what Brian and Tiffiny had described, with a data source reference on the main page that touched another site that the user did not have access too. It didn't security trim the control, just threw an Access Denied. To test this, create a blank article page in the site that is causing issues and have the user try accessing the page directly from a link. If he has access to this blank page, then there is something throwing a red flag on the default.aspx page for the site. All the permissions will look fine to the sub site, yet it is at page rendering where the Access Denied is being thrown. "...When I give permission to parent site user can able to open the subsite. But I want to open just the subsite to the user not the parent site or home of sharepoint." If a sub site is no longer inheriting permissions from the parent, when you add a user to the parent, the permissions should not be propegating down to the child site. Are you sure this is the case?Or have you solved the problem by now?
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2010 6:58am

Thanks everyone, I solved the issue. Actually the problem was, we deleted some of the default groups in SharePoint. That`s why users who are not in the members group can`t access the sites because they don`t have limited access to site resources like style, images in customizations. We ended up creating an sharepoint group named External Users and gave that group all the limited access permissions to site resources. Now it is working fine. Thanks for your replies. CanCan Atuf Kansu
April 6th, 2010 5:29pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics