SharePoint 2013 Access denied due to permission levels

Our customer has a public web application where external users located in a trusted domain can log on to. External users should not be able to browse user information and we created a custom Web Application permission level to deny these permissions to certain AD groups.

Access denied due to permission levels 1

Issue
The Web Application functioned correctly for a long time and all of a sudden external users were getting access denied errors for only 1 site. There are a few blogs on the net to fix access denied errors for example the whole Web Application or Site Collection like checking the cache accounts. This issue was different as externals could log on to almost all sites but not a subsite. This user got the same error even after granting it full control on the Web Application.

Errors in the ULS
There weren’t a lot of errors in the Event Viewer but the ULS log led us in the right direction. We received the following Access Denied stack traces:

Access Denied for <Site>/SitePages/Home.aspx. StackTrace:
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.Library.SPRequest.GetGroupsDataAsSafeArray(String bstrUrl, UInt32 dwGroupsScope, String bstrValue, UInt32 dwValue, UInt32& pdwColCount, UInt32& pdwRowCount, Object& pvarDataSet)
at Microsoft.SharePoint.SPGroupCollection.InitGroups(Boolean fCustomUsers, String[] strNames, Int32[] groupIds)
at Microsoft.SharePoint.SPBaseCollection.GetEnumerator()
at Microsoft.Office.Server.Audience.AudienceManager.GetUserAudienceIDs(String accountName, SPWeb web, Boolean loadAudiences, Boolean loadSharePointGroups, Boolean loadMemberships)
at Microsoft.Office.Server.WebControls.AudienceLoader.EnsureCurrentUserAudienceIDs(Boolean needAudienceName, Boolean loadAudiences, Boolean loadMemberships, Boolean loadSharePointGroups)

and

GetUserAudienceIDs::GetUserAudienceIDs() failed in SharePoint Group membership resolution (Exception Message : Thread was being aborted. StackTrace
at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.AbortCurrentThread()
at Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString)
at Microsoft.SharePoint.Utilities.SPUtility.RedirectToAccessDeniedPage(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.Library.SPRequest.GetGroupsDataAsSafeArray(String bstrUrl, UInt32 dwGroupsScope, String bstrValue, UInt32 dwValue, UInt32& pdwColCount, UInt32& pdwRowCount, Object& pvarDataSet)
at Microsoft.SharePoint.SPGroupCollection.InitGroups(Boolean fCustomUsers, String[] strNames, Int32[] groupIds)
at Microsoft.SharePoint.SPBaseCollection.GetEnumerator()
at Microsoft.Office.Server.Audience.AudienceManager.GetUserAudienceIDs(String accountName, SPWeb web, Boolean loadAudiences, Boolean loadSharePointGroups, Boolean loadMemberships) . No SharePoint Group IDs will be returned.

Solution
it looked like it had something to do with audiences which hadn’t been configured before. One possible solution is to grant external users the browse user information permission as this solves the issue but then external users are able to find other external users which isn’t a good solution.

We solved this issue by analyzing the possible locations where audiences can be used. We verified all Web Parts but external users also got access denied on document libraries with default Web Parts. We also verified the site navigation and found that a site owner has added a link and enabled audiences for this link. External users are not able to “open” the group that has been added to this link and they receive an access denied because of it.

Make sure that when you denying ‘Browse User Information’ permissions to certain users or groups that audiences are not added to the site navigation or Web Parts!

Set SharePoint cache accounts with PowerShell

The object cache stores properties about items in SharePoint Server 2010/2013. Items in this cache are used by the publishing feature when it renders web pages. The goals of the object cache are to reduce the load on the computer on which SQL Server is running, and to improve request latency and throughput. The object cache makes its queries as one of two out-of-box user accounts: the Portal Super User and the Portal Super Reader (SharePoint cache accounts). These SharePoint cache accounts must be properly configured to ensure that the object cache works correctly. The Portal Super User account must be an account that has Full Control access to the web application. The Portal Super Reader account must be an account that has Full Read access to the web application.
http://technet.microsoft.com/en-us/library/ff758656(v=office.15).aspx

You can use the below script to automatically grant the cache accounts the required permissions and add these for all web applications.

$webapps = Get-SPWebApplication
$SuperUserAcc = “i:0#.w|peet\sp2013_superuser”
$SuperReaderAcc = “i:0#.w|peet\sp2013_superreader”
foreach($webapp in $webapps)
{
[Microsoft.SharePoint.Administration.SPPolicyCollection]$policies = $webapp.Policies
[Microsoft.SharePoint.Administration.SPPolicy]$policy = $policies.Add($SuperUserAcc, "Super User (Object Cache)")
[Microsoft.SharePoint.Administration.SPPolicyRole]$policyRole = $webapp.PolicyRoles | where {$_.Name -eq "Full Control"}
$policy.PolicyRoleBindings.Add($policyRole)
[Microsoft.SharePoint.Administration.SPPolicy]$policy = $policies.Add($SuperReaderAcc, "Super Reader (Object Cache)")
[Microsoft.SharePoint.Administration.SPPolicyRole]$policyRole = $webapp.PolicyRoles | where {$_.Name -eq "Full Read"}
$policy.PolicyRoleBindings.Add($policyRole)
$webapp.properties["portalsuperuseraccount"] = $SuperUserAcc
$webapp.properties["portalsuperreaderaccount"] = $SuperReaderAcc
$webapp.Update()
}

image

image

The Specified user or domain group was not found

I got this error today when someone wanted to create a document set in SharePoint 2013. This small post shows a possible solution to this issue.

Scenario

A user wants to create a document set in a standard document library but faces the below error.

image

The specified user of domain group was not found

I went looking in the ULS logs and found a good lead. There were certain parts that came up:

  • UserAgent not available, file operations may not be optimized.
  • Application error when access /_layouts/15/NewDocSet.aspx, Error=Some or all identity references could not be translated.
  • Unable to write SPDistributedCache call usage entry.

 

Solution

I went to look at the cache accounts (SuperUser and SuperReader) because of the message “unable to write SPDistributedCache call usage entry” and I noticed that superaccounts were not setup correctly.

image

I was able to create the document set after fixing the cache accounts.
You can set the cache accounts using the PowerShell script located at http://www.sharepointfire.com/2014/03/set-sharepoint-cache-accounts-with-powershell/