Today, I was tasked with picking up a bottle of Frank’s RedHot Sauce for supper. Once I entered the grocery store, I began scanning the large hanging boards that list the 6-8 types of items found in each aisle. My previous shopping experience lead me to look for the hot sauce near the ketchup and I know that ketchup is usually classified as a condiment. Unfortunately, I could not see “Condiments” on any of those large hanging boards. I did, however, see “Mexican” on one of the signs and thinking that perhaps hot sauce wasn’t far from salsa (they are both spicy), I ventured down that aisle. Alas, no hot sauce. Read more
To recap: The prerequisites install fine, SharePoint Setup runs, and then seemingly at the last step, it fails with:
osiserver.msi: “SharePoint Server 2013 encountered an error during setup”, Error Code 1603
Unsatisfied with the workarounds (read MSIBreak or the ORCA tool or changing the number of processors), and after having updated Windows with the latest patches, I called Microsoft and worked for weeks with their engineers at diagnosing the root issue of the problem, which for us was:
The SharePoint ArpWrite action (registering SharePoint 2013 as installed in the registry) attempted to access a missing registry key at HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer
So to resolve this, we wrote the following PowerShell script (run as Administrator):
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer | Out-Null
$regProps = Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer -Name logging -Value voicewarmup -PropertyType String | Out-Null
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer -Name debug -Value 3 -PropertyType DWord | Out-Null
And much to our shock, the installation succeeded!
Hopefully, this article can help anyone else out there with this problem until Microsoft publishes a fix or an updated installer.
In software development, we’re often required to make predictions about the future with little information. Read more
In this post, I will finish off the definitions of the different principles and then we can move on from there to venture more in-depth about ECM governance. Read more
Software is meant to evolve. As a consultant, I see many organizations that don’t fully consider this when planning and building systems. This has a negative effect on the quality of a solution and can even hold us back, leaving process stagnant and the business vulnerable for competition to disrupt. Read more
At DevFacto, we utilize the enterprise social networking tool, Yammer, on a daily basis. It is a great means to share information and to socialize with everyone in the company, regardless if they are working at a client site, in another city, or just down the hall. While we often post random but relevant (or sometimes irrelevant but highly entertaining) articles or links, every now and then we get into a great company-wide debate that deserves to be shared: Read more
“ACCESS DENIED 401.5” – On first load, canceling the prompt shows “401 ACCESS DENIED” but you can refresh the page and it works fine without any future prompt until app pool recycle.
I recently had the misfortune of trying to resolve an access denied issue in SharePoint 2007 running on a Windows 2008 OS, which means IIS 7.5 as the web host platform. The other web front end which was Windows 2003 with IIS 6 was working fine (don’t get me started on why they decided to mix and match the load balanced front end OS and IIS versions).
Typically, getting an access denied issue on an anonymous site can mean one of the following:
- You didn’t further enable anonymous access for the target web application zone.
- Your bindings in IIS are set up incorrectly and you’re still navigating to the authorization required zone.
- You didn’t enable anonymous access permissions at the site collection level.
All of these are addressed by this TechNet article.
For the more advanced issues:
- You set up restrictive anonymous access permissions at the web application policy level.
- Central Admin>Application Management>Policy for Web Application
- From the left most navigation (Quick nav area) there is a “See Also”. In there you will see “Change Anonymous Access Permission Policy” where you can block access to ‘anonymous’ despite granting it in the site collection level.
- You’re experiencing ACL issues for the anonymous access account (and IIS issue), this is usually accompanied by a 401.3 ACCESS DENIED and you actually get to see the access denied SharePoint page.
- In this instance, you can use the failed request tracking provided by IIS to debug file access issues.
- You can use the specific list ID or file ID from the query string on the access denied page to determine which library you need access to.
- You have required files checked out or otherwise not checked in to a major version and published.
- When editing the page under the Tools menu you will find Check for unpublished items. This report can help you find items not published which may be affecting anonymous access. This tool can help you find any images or css files that are failing authorization causing multiple prompts for login while still being able to access the page.
- There is also a report from the manage content and structure page which can help identify unpublished items in the site collection: http://servername/_layouts/sitemanager.aspx?rptmode=3″>http://servername/_layouts/sitemanager.aspx?rptmode=3
- You’ve selected the wrong caching profile in the object cache settings (located in site settings). It should be set for public anonymous if your site is a published internet page.
- If you’ve landed here and you were looking for a SharePoint 2010 problem where even site collection administrators are getting the access denied SharePoint page, you may have forgotten to configure your super reader and super user accounts for publishing portals…
- If you’re using windows auth make sure the super reader user as a policy defined at the web app policy level that grants full read.
- If you’re using Claims Authentication and you are getting Access Denied for Site Collection Administrators, you need to set the portal super reader and portal super user accounts to use their respective claims identities instead of the windows domain account format – click here.
And finally, the one which cost me two and a half days trying to locate and debug and ultimately spawned this blog post…
You are getting a “401 ACCESS DENIED” blank white screen, your IIS logs are reporting 401.5 errors, failed request tracing is returning nothing, event logs are returning nothing, and even the ULS log is returning nothing usable other than just saying “ACCESS DENIED”.
More specifically, I found the following set of entries:
General 8xfr Verbose PermissionMask check failed. asking for 0x00010000, have 0x00000000 General 8xfr Verbose PermissionMask check failed. asking for 0x46871000, have 0x00030041 General 8kh7 High Access denied.
I asked Google many different ways and read almost a hundred blog posts, stack over flow questions, and forum posts:
- Access denied on first load only
- Access denied 401.5 sharepoint 2007
- Access denied anonymous sharepoint 2007 iis 7
- Access denied anonymous output cache
- Access denied anonymous 401.5 “sharepoint”
- Anonymous 401.5 sharepoint IIS 7.5
Sadly none of them worked for me.
My issue turned out to be a very deep web.config file configuration issue, someone changed something on the server (I have no idea why… and isn’t it always those mystery changes people made but never recorded that get you?)
I found this forum post.
I would have loved to have known how they came to that conclusion to set batch debug compilation to off.
The issue was that the web.config had:
<compilation batch="true" debug="true">
The reason why it was getting access denied on the first load of the page for anonymous users was some-how related to how the initial compile was run, and having that
batch="true" was causing the problem.
To fix my issue, changed
batch="false". However this could also be caused by the entry missing the value settings, as they default to
I hope you find this post helpful in diagnosing and fixing anonymous access denied issues in SharePoint 2007.
Although I might add to this, even though it fixed the issue it didn’t fix it “the right way”.
Batch compilation is designed to help IIS / ASP.NET save time and cache the compilation results, as outlined here.
So the real problem would be more related to the fact that their organization has potentially made a security change which causes the account that pre-compiles the pages to lose access to a required directory. Unfortunately even when using process monitor, I wasn’t able to catch any access denied issues, so sadly the real problem eludes me. I’m sure if I had more time to sit down and dig through all of their group policy settings I could find out how it came to be broken.
Originally posted by DevFacto Microsoft Certified Master, Kevin Cole, at SPDev.Info()
I’ve occasionally come across developers who believe that the use of design patterns overcomplicates systems and results in code that is harder to understand. Read more