Thursday, March 14, 2013

SharePoint 2010 - Access Denied for Site Administrator - WTF

This could happen to anyone with claims authentication and the reason is 
By default, the Portal Super User account is the site’s System Account, and the Portal Super Reader account is NT Authority\Local Service.

(replace the domain\superuser and domain\superreader to the accounts set in CA for your Farm)


The domain\superuser account needs to have a User Policy set for that gives it Full Control to the entire web application. In order to do this you perform the following steps:


  1. Go to Central Administration
  2. Go to Application Management
  3. Go to Manage Web Application
  4. Select the web application we’re talking about
  5. Click User Policy
  6. Add Users
  7. Click Next
  8. Fill in domain\superuser
  9. Select Full Control
  10. Click OK

The domain\superreader account needs to have a User Policy set for that gives it Full Read to the entire web application. In order to do this you perform the following steps:


  1. Go to Central Administration
  2. Go to Application Management
  3. Go to Manage Web Application
  4. Select the web application we’re talking about
  5. Click User Policy
  6. Add Users
  7. Click Next
  8. Fill in domain\superreader
  9. Select Full Read
  10. Click OK

If your web application is using claims based authentication the users should be displayed like i:0#.w|domain\superuser and i:0#w|domain\superreader. 



Run the following to check the current configuration

$wa = Get-SPWebApplication "[YourWebAppHereBaby]"
$wa.Properties["portalsuperuseraccount"] 
$wa.Properties["portalsuperreaderaccount"]



If you are using classic mode authentication run the following cmdlets on one of your SharePoint servers:
If you don't know what type of authentication is being used for your Farm, you don't have the skills to proceed further.


$wa = Get-SPWebApplication "[YourWebAppHereBaby]"
$wa.Properties["portalsuperuseraccount"] = "domain\superuser"
$wa.Properties["portalsuperreaderaccount"] = "domain\superreader"
$wa.Update()

If you are using claims based authentication run the following from SharePoint PowerShell:
If you don't know what type of authentication is being used for your Farm, you don't have the skills to proceed further.
(replacing the domain\superuser and domain\superreader to the accounts set in CA for your Farm)

$wa = Get-SPWebApplication "[YourWebAppHereBaby]"
$wa.Properties["portalsuperuseraccount"] = "i:0#.w|domain\superuser"
$wa.Properties["portalsuperreaderaccount"] = "i:0#.w|domain\superreader"
$wa.Update()

No comments: