techblog

SP 2013 – Access Denied Error creating Search Center

Feb 6, 2013 by Christoph // Leave a Comment

SharePoint 2013, oh, I already started to love you!

I was running into an error creating an Enterprise Search Center site collection on a clean installation of SharePoint 2013. The installation was created by a PowerShell Script we developed during the last project phase (please, don’t ask why we didn’t use SPAutoInstaller!). We where using Claims Based Authentication on the web application as it is recommended since SP2013, and here the story begins:

Error Description

During the creation of an Enterprise Search Center or a Publishing Portal via Central Administration I am getting a Yellow Screen of Death and the following message is logged into the Event Log:

==================================================

Log Name:      Application
Source:        Microsoft-SharePoint Products-Web Content Management
Date:          05.02.2013 11:22:50
Event ID:      4965
Task Category: Publishing Provisioning
Level:         Error
Keywords:
User:          CONTOSO\mSPInstall
Computer:      SERVERNAME-01

Description: Event log message was: ‘Failed to initialize some site properties for Web  at Url: ‘http://mysearchcenter.contoso.com’. Exception was: ‘System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.GetMetadataForUrl(String bstrUrl, Int32 METADATAFLAGS, Guid& pgListId, Int32& plItemId, Int32& plType, Object& pvarFileOrFolder) at Microsoft.SharePoint.SPWeb.GetList(String strUrl) at Microsoft.SharePoint.Publishing.CacheManager..ctor(SPSite site)
at Microsoft.SharePoint.Publishing.CacheManager.GetManager(SPSite site, Boolean useContextSite, Boolean allowContextSiteOptimization, Boolean refreshIfNoContext)
at Microsoft.SharePoint.Publishing.PublishingWeb.get_PagesListId()
at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.InitializePublishingWebDefaults()’
==================================================

The following message is logged into the SharePoint ULS Log:

==================================================

02.05.2013 11:22:50.60 w3wp.exe (0x23F4) 0x1414 SharePoint Foundation General aix9j High SPRequest.GetMetadataForUrl: UserPrincipalName=i:0).w|s-1-5-21-2470155813-2319048180-152414731-21172, AppPrincipalName= ,bstrUrl=/Cache Profiles ,METADATAFLAGS=59 d0c0fb9b-5bc8-b08b-52a2-fd7134c25c1f

02.05.2013 11:22:50.60 w3wp.exe (0x23F4) 0x1414 SharePoint Foundation General ai1wu Medium System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:
at Microsoft.SharePoint.SPWeb.GetList(String strUrl)
at Microsoft.SharePoint.Publishing.CacheManager..ctor(SPSite site)
at Microsoft.SharePoint.Publishing.CacheManager.GetManager(SPSite site, Boolean useContextSite, Boolean allowContextSiteOptimization, Boolean refreshIfNoContext)
at Microsoft.SharePoint.Publishing.PublishingWeb.get_PagesListId()
at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.InitializePublishingWebDefaults()
at Microsoft.SharePoint.Publishing.Internal.AreaProvisioner.Provision()
at Microsoft.SharePoint.Publishing.PublishingFeatureHandler.<>c__DisplayClass3.<FeatureActivated>b__0()
at …<shortened for readability>

==================================================

Solution

As this and this posts describe, the PortalSuperUserAccount as well as the PortalSuperReaderAccount have to be set in Claims manner. So, they need to be added with the prefix “i:0#.w| (where the 0 is a zero and | is a pipe).

You can check the accounts for each Web Application with the following PowerShell command:

Get-SPWebApplication | %{Write-Host “Web Application: ” $_.url “`nPortalSuperUserAccount: ” $_.properties["portalsuperuseraccount"] “`nPortalSuperReaderAccount: ” $_.properties["portalsuperreaderaccount"] “`n”}

If you use Claims Based Authentication, make sure your accounts have the prefix! If the don’t have it, you have to reset the accounts via the following PowerShell command:

$wa = Get-SPWebApplication -Identity "http://contoso.com"
$wa.Properties["portalsuperuseraccount"] = "i:0#.w|contoso\cacheuser"
$wa.Properties["portalsuperreaderaccount"] = "i:0#.w|contoso\cachereader"
$wa.Update()

I fixed the script so it checks if the current Web Application is using Claims Based Authentication, if so, the accounts will be added with the prefix.

Afterwards, perform a an IISRESET on all servers in the farm and recreate the Enterprise Search Portal and enjoy the new search experience in SharePoint 2013.

Credits to our SharePoint Master Aleksandar Draskovic who pointed me in the right direction!

Happy searching!


Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Copyright © 2012 techblog All Rights Reserved.

The posts on this weblog are provided “AS IS” with no warranties, and confer no rights. The opinions expressed herein are personal and do not represent those of my employer.

Designed & Developed by ThemeElephant