Sarav

I am using MOSS 2007

I've created a web application that uses forms authentication. My forms authentication uses a custom membership and role provider to retrieve user information from an LDAP(Active Directory)

The forms authentication works fine, and I'm able to login to the application as any user that is in our active directory. However, whenever they enter into the site collection they get an "Access Denied" error.

Please any one give me solution as soon as possible..

Regards,

Saravanan Gajendran




Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

eteyankim

Hi I am facing the same problem. I can use some help here too.




Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

Janie Pumphrey

I am also working on the same problem.

I managed to fix it on my home page but I'm still working on fixing it on some of the subsites, and the admin pages.

This is what I discovered so far:

- Whenever I change the Authentication Provider settings in Central Administration, Sharepoint overwrites my <authorization> element in web.config with incorrect settings. I have to manually edit the web.config to restore the correct <authorization> settings after each change to the authentication provider settings - something that will deny anonymous users but allow others.

- Also, I also have to enable anonymous access and grant anonymous users permission to see the entire site. This can be enabled on the Authentication Provider settings page, and granted on the Site Settings > People and Groups > Site Permissions > Settings > Anonymous Access. I'm not sure why this makes a difference and I have a hunch that there's a permission somewhere else that I need to grant instead of doing this ...

Doing those two things at least gets me to the point where I don't see Access Denied immediately after signing in. I do, however, still see it on the admin pages (like /_layouts/settings.aspx, /_layouts/ManageFeatures.aspx, etc) and I still see it on some (but not all) of my subsites.

Anyway, I am still working on this and I will let you know if I get anywhere with it.





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

Janie Pumphrey

I found this article: http://www.simple-talk.com/dotnet/windows-forms/configuring-forms-authentication-in-sharepoint-2007/ which might help a little. The section called "Authorize the Forms-based user to access the site" seems to explain why we're getting Access Denied messages. (All of the users and permission that we set up in Sharepoint are Windows-based accounts ... Sharepoint doesn't make any connection between Windows accounts and forms-based user accounts ... they are completely separate.)

Sounds like we will need to switch site collection administrators (and presumably all other permissions) to use the Forms-based user accounts instead of the Windows user accounts.

My user names don't resolve when I try it ... but I think I'm on the right track. (Does anyone know if the membership provider is involved when you click "Check Name" to resolve the user name Do you know which method it calls ) I will keep troubleshooting my error here ... I hope you have better luck...





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

lchungue

Have you tried changing the policy of your webapp to add a "Webapp Administrator" I guess this is required if your role provider isn't set correctly.

Central Admin > Application Management > Application Security > Policy for Web Application

Add Users > Select SharePoint & specific zone > Add User (should resolve here) > Pick Full Control > Finish

On a side note, I'm not quite sure there's no connection between both provider accounts. Somehow, I can access MySites of "opposite" provider users, and even detect their presence status... But for some reason, it doesn't seem to work that well, like it doesn't seem to be bidirectional.






Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

Janie Pumphrey

lchungue, that is interesting ... I'm not sure how Sharepoint determines when to make that connection between user accounts from different providers.

Good news though - I discovered why my the user names weren't resolving. In my case, I couldn't resolve the user names because Central Administration site didn't have the settings for my providers and their connection strings. When I moved those settings to machine.config instead of web.config, I could resolve user names successfully and I could change the site collection administrator to a form-based user account using Central Admin.

(This makes sense ... since Central Admin is a separate website, it couldn't get the settings from my other web.config file.)

Then, after changing the site collection admin, I was able to sign in as that user, access my admin pages, and switch some of the permissions over to forms-based user accounts.

I might not need the anonymous access now ... I have to check that and see.

Edit: it is true, I don't need anonymous access when the permissions are set up with forms-based users and roles.





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

lchungue

Glad to hear it works for you now.

By the way, do know if there's a user similar to "authenticated users" in FBA

--
Ludovic





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

Janie Pumphrey

Ludovic, I think it's possible to set that up but it depends on the role provider ... what role provider are you using If it's a custom role provider, then you could add a default role to the list that GetRolesForUser() returns (in addition to whatever other roles the user might have). Then use that default role instead of "authenticated users." If you using a built-in role provider, is it possible to create a role or group that includes all users, in active directory or your database (or whatever your data source is) That might work too.





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

lchungue

Well, since I'm using the Active Directory authentication provider, I haven't supplied any role provider. On that subject by the way, what is a role provider supposed to do





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

Janie Pumphrey

When you set permissions you can use either user names or roles (sample roles would be "administrators," "managers," "employees," etc.) A role provider can be used to determine which roles your users have, which can make it a little easier to manage the permissions on your site. The roles can come from a database or active directory or somewhere else.



Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

David Smith (MicroStaff IT)

Two things: first, I want to make sure everyone has seen http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspx , which outlines how to set up a single server with both Windows and Forms-based authentication.

Second, the users you get in your "Check Names" list is supplied by the provider itself. You want to make sure that your applications using FBA are configuring with FBA-based users as owners/administrators. It's actually a lot easier to do this with new sites than to switch midstream, although it can be done.

If you've not created any FBA users, you'll need to use an external utility to do so (I usually cheat and use the ASP .NET Configuration utility on a website which accesses the same provider). Remember, SharePoint won't be able to "create" FBA users any better than it can create Windows accounts. Once you've got a handful of FBA users set up, head over to Central Administration and make sure the site collections you've got on FBA-enabled applications actually have FBA users as Site Collection Administrators.

Once you get the Site Collection administrators properly configured, then you should be able to get into those sites and begin adding pre-existing FBA users/roles as SharePoint users in the same vein that you add Windows-based users.






Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

lchungue

Two other things... Smile

1) What am I supposed to add as a role provider, if I'm using Active Directory as source A security group A distribution list

2) I know I've tried to ask this somewhere else, but talking about FBA, has anyone noticed any problem accessing documents using an FBA account (edit: solved)





Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

brwalias

Ichungue,

I currently have fba working with ldap on moss however I only access individuals in a container and can't figure out how to access groups. our prod is managed by groups. I need to figure how to manage groups.




Re: SharePoint - General Question and Answers and Discussion Access Denied" error. in MOSS 2007

lchungue

Well, I'm certainly not the one who can help you effectively since I too have problems with groups... actually not with my FBA, but with my IWA zone.

As previously stated, the problem may come from the connection specified in web.config. Make sure the account used can access those groups, and that the connection string is "wide" enough to take groups in.