The website cannot display the page @ SharePoint due to Group Policy settings

This error (The website cannot display the page) can be thrown due to a number of reasons but I’ll will show the issue and solution we had after a few SharePoint 2013 installations.

Issue

We installed SharePoint 2013 correctly and verified if everything was up and running. The databases and websites were online and Central Administration was working. We only got the below error while browsing to our Web Applications.

image

We found the following errors in the ULS logging using ULSViewer.

Application error when access /SitePages/Home.aspx, Error=The given assembly name or codebase, ‘C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll’, was invalid.
at System.ServiceModel.Activation.ServiceHttpModule.BeginProcessRequest(Object sender, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

System.IO.FileLoadException: The given assembly name or codebase, ‘C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll’, was invalid.
at System.ServiceModel.Activation.ServiceHttpModule.BeginProcessRequest(Object sender, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Access Denied. Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:
at Microsoft.SharePoint.Library.SPRequestInternalClass.PreInitServer(String bstrAbsoluteRequestUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gApplicationId, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, Boolean fHostHeaderIsSiteName, String bstrAppHostHeaderRedirectDomain, Boolean fAppWebRequest, String bstrAppDomain, String bstrRequestAppWebDomainId, String bstrAppSiteDomainPrefix, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision)
at Microsoft.SharePoint.Library.SPRequest.PreInitServer(String bstrAbsoluteRequestUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gApplicationId, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, Boolean fHostHeaderIsSiteName, String bstrAppHostHeaderRedirectDomain, Boolean fAppWebRequest, String bstrAppDomain, String bstrRequestAppWebDomainId, String bstrAppSiteDomainPrefix, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision).

After investigation we found out that the customer controls a lot using group policies and we verified a few policies with a working SharePoint 2013 environment.

Problem

The customer had removed the local group IIS_IUSRS from the group policy ‘Impersonate a client after authentication’ under Local Policies –> User Rights Assignment.

image

Central Administration was working correctly because the farm account was still present and because the farm account is member of the local administrator group.

Solution

We added IIS_IUSRS back to this policy and performed an IISReset. All Web Applications were up and running after the reset.

image

 

There are currently no logon servers available to service the logon request

We restarted a domain controller and we encountered the following error

image

There are currently no logon servers available to service the logon request

Issue

The server was rebooted into “safe mode” after the restart and we could no longer log on using our domain admin accounts or connect to the DC using the member servers.

Solution

Logon to the domain controller using the DSRM credentials

image

Start the System Configuration (msconfig) and navigate to Boot

image

Deselect ‘Safe boot’

image

Click on Apply

image

Restart the server and afterward you can logon to the domain controller and verify if the Domain Services are running

image

Migrating AD groups in SharePoint 2013

This post is part 2 of the guide to move Active Directory groups in SharePoint 2013. Microsoft added the PowerShell command move-spuser to migrate a user account in SharePoint 2010 and SharePoint 2013. We can leverage this command to migrate AD groups in SharePoint. We are going to need the identity claims for the groups because SharePoint 2013 uses claims authentication.

The following posts will help you get the claim and change the group name in SharePoint 2013:

  1. Get identity claim for AD groups in SharePoint 2013
  2. Migrating AD groups in SharePoint 2013
  3. Renaming an AD group in SharePoint 2013

 

Scenario

We have two AD groups and we want to migrate the permissions from one group to the other.

  • Domain\GroupWillBeMigrated (Full control on root site)
  • Domain\MigratedGroup (no entry in User Information List)

 

We first need to get the SharePoint 2013 user account and find the claims token for the group we want to migrate to.

Migrating the user

1. Get-spuser

We are going to need the user identity from SharePoint 2013 to select the account we want to migrate from. We can use the following two options to get this user

Based on displayname

$SPUser = Get-spuser –web https://portal.sharepointfire.com | Where-Object {$_.displayname –eq “peet\groupwillbemigrated”}

clip_image002

Based on claims token

$SPUser = get-spuser -identity “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2108” -web https://portal.sharepointfire.com

clip_image004

2. Move-spuser

The next step is using the identity from get-spuser and changing this to the new alias. We will need the claims token for the new account because we want to migrate the group to an identity claim and not to standard NTLM encoding. View my post about getting the identity claim for this.

We are going to use the PowerShell command Move-Spuser and we are going to use the following parameters.

Move-SPUser –Identity <String1> -NewAlias <String2> -IgnoreSID

  • String1 is the variable $SPUser from step 1
  • String2 is the identity claim for the group we want to migrate to
  • We are using –IgnoreSID because we otherwise get a message saying that SID history can only be enforced in Windows authentication mode.

 

move-spuser -identity $SPUser -newalias “c:0+.w|s-1-5-21-2519571660-2376940383-2348130139-2109” -ignoresid

image

You will need to grant the logged in user full control on both the Permissions and Administrator tab at the User Profile Service Application if you’ll receive the error ‘Object reference not set to an instance of an object’.

The SharePoint account has now been migrated to the new identity claim and the permissions are being migrated to the new group.

clip_image008

And we can navigate to the Home Owners group

clip_image009

The account information is directing to the correct identity claim but the name is not correct. We will set this in part 3.