When NT Authority\Authenticated users were added to a windows sharepoint services 3.0 site, users other than the users directly permissioned to site, or Site Collection Admins would receive a 403 Forbidden error when they woudl try to browse to the Default.aspx page.
ULS Logs would show:
============================================================
Access Denied for /default.aspx.
StackTrace: Microsoft.SharePoint.Utilities.SPUtility:Void
HandleAccessDenied(System.Exception), Microsoft.SharePoint.SPGlobal:Void
HandleUnauthorizedAccessException(System.UnauthorizedAccessException),
Microsoft.SharePoint.SPWeb:System.String GetWebPartPageContent(System.Uri,
Microsoft.SharePoint.WebPartPages.PageView, System.Web.HttpContext, Boolean,
Boolean, Boolean, Boolean, Boolean ByRef, Byte ByRef, System.String ByRef,
System.Guid ByRef, Int64 ByRef, System.Guid ByRef, UInt32 ByRef, System.String
ByRef, Byte ByRef, System.Object ByRef, UInt32 ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.Object ByRef,
System.String ByRef, Boolean ByRef, System.Guid ByRef),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:System.String
FetchWebPartPageInformationForInit(System.Web.HttpContext,
Microsoft.SharePoint.SPWeb, Boolean, System.String, Boolean, Boolean ByRef, Byte
ByRef, System.Guid ByRef, UInt32 ByRef, System.String ByRef,
Microsoft.SharePoint.SPFileLevel ByRef, System.String ByRef, System.String ByRef,
System.String ByRef, System.String ByRef, System.Guid ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.String ByRef,
System.String ByRef, System.Object ByRef, Boolean ByRef, System.Guid ByRef, Int64
ByRef), Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:Void
GetFileForRequest(System.Web.HttpContext, Microsoft.SharePoint.SPWeb, Boolean,
System.String), Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
InitContextWeb(System.Web.HttpContext, Microsoft.SharePoint.SPWeb),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
SPWebEnsureSPControl(System.Web.HttpContext),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
GetContextWeb(System.Web.HttpContext),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
PostResolveRequestCacheHandler(System.Object, System.EventArgs),
System.Web.HttpApplication+SyncEventExecutionStep:Void
System.Web.HttpApplication.IExecutionStep.Execute(),
System.Web.HttpApplication:System.Exception ExecuteStep(IExecutionStep, Boolean
ByRef), System.Web.HttpApplication+ApplicationStepManager:Void
ResumeSteps(System.Exception), System.Web.HttpApplication:System.IAsyncResult
System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext,
System.AsyncCallback, System.Object), System.Web.HttpRuntime:Void
ProcessRequestInternal(System.Web.HttpWorkerRequest), System.Web.HttpRuntime:Void
ProcessRequestNoDemand(System.Web.HttpWorkerRequest),
System.Web.Hosting.ISAPIRuntime:Int32 ProcessRequest(IntPtr, Int32),
==================================================================
after detailed analysis and debug of the w3wp process, we found two columns with non standard settings in the content database. In the AllList table the columns called tp_readsecurity and tp_writesecurity, for the “User Information List” have the values set to 2 & 4 respectively. The default value for both columns is 1.
Tp_readsecurity
Value="1">read all items
Value="2">read only my items
Value="4">read none
Tp_writesecurity
Value="1”>write all items
Value="2">write only my items
Value="4">write none
The value 2 for tp_readsecurity will only allow a user to read their own items. So reading the items does not occur because it is trying to read the items in the “user Information list” that are not their own. The value 4 for tp_writesecurity does not allow write to this list so you will not be able to add users. Since they have not or cannot be added into the list, there was an exception being thrown and this is the reason for the 403 Forbidden.
RESOLUTION/WORKAROUND:
===========================
1. Open the site you are having trouble with, but make sure you open the site
with site collection admin/owner rights.
2. Browse to the URL:
http://portal/sites/site/_layouts/advsetng.aspx?list={GUID}
3. This List ID will vary.
4. You can also get to this list by Browsing to the root of your site, Site
Actions> Site Settings> Advanced Permissions> Click on the All People link
in qiuck launch> Then select List Settings, then Advanced Settings
5. This method will also get you to the above URL and probably easier than
having to poke thru the DB to find the GUID of that list.
6. Change the Read Access Value to “All Items”
7. Change the Edit Access to “All Items”
7. This will modify those values in the database back to 1 and 1
8. Authenticated Users should now be able to access the site.
I hope the above information will helps you to resolve this issue !! Thanks !!!
ULS Logs would show:
============================================================
Access Denied for /default.aspx.
StackTrace: Microsoft.SharePoint.Utilities.SPUtility:Void
HandleAccessDenied(System.Exception), Microsoft.SharePoint.SPGlobal:Void
HandleUnauthorizedAccessException(System.UnauthorizedAccessException),
Microsoft.SharePoint.SPWeb:System.String GetWebPartPageContent(System.Uri,
Microsoft.SharePoint.WebPartPages.PageView, System.Web.HttpContext, Boolean,
Boolean, Boolean, Boolean, Boolean ByRef, Byte ByRef, System.String ByRef,
System.Guid ByRef, Int64 ByRef, System.Guid ByRef, UInt32 ByRef, System.String
ByRef, Byte ByRef, System.Object ByRef, UInt32 ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.Object ByRef,
System.String ByRef, Boolean ByRef, System.Guid ByRef),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:System.String
FetchWebPartPageInformationForInit(System.Web.HttpContext,
Microsoft.SharePoint.SPWeb, Boolean, System.String, Boolean, Boolean ByRef, Byte
ByRef, System.Guid ByRef, UInt32 ByRef, System.String ByRef,
Microsoft.SharePoint.SPFileLevel ByRef, System.String ByRef, System.String ByRef,
System.String ByRef, System.String ByRef, System.Guid ByRef, System.Object ByRef,
Microsoft.SharePoint.SPWebPartCollectionInitialState ByRef, System.String ByRef,
System.String ByRef, System.Object ByRef, Boolean ByRef, System.Guid ByRef, Int64
ByRef), Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData:Void
GetFileForRequest(System.Web.HttpContext, Microsoft.SharePoint.SPWeb, Boolean,
System.String), Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
InitContextWeb(System.Web.HttpContext, Microsoft.SharePoint.SPWeb),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
SPWebEnsureSPControl(System.Web.HttpContext),
Microsoft.SharePoint.WebControls.SPControl:Microsoft.SharePoint.SPWeb
GetContextWeb(System.Web.HttpContext),
Microsoft.SharePoint.ApplicationRuntime.SPRequestModule:Void
PostResolveRequestCacheHandler(System.Object, System.EventArgs),
System.Web.HttpApplication+SyncEventExecutionStep:Void
System.Web.HttpApplication.IExecutionStep.Execute(),
System.Web.HttpApplication:System.Exception ExecuteStep(IExecutionStep, Boolean
ByRef), System.Web.HttpApplication+ApplicationStepManager:Void
ResumeSteps(System.Exception), System.Web.HttpApplication:System.IAsyncResult
System.Web.IHttpAsyncHandler.BeginProcessRequest(System.Web.HttpContext,
System.AsyncCallback, System.Object), System.Web.HttpRuntime:Void
ProcessRequestInternal(System.Web.HttpWorkerRequest), System.Web.HttpRuntime:Void
ProcessRequestNoDemand(System.Web.HttpWorkerRequest),
System.Web.Hosting.ISAPIRuntime:Int32 ProcessRequest(IntPtr, Int32),
==================================================================
after detailed analysis and debug of the w3wp process, we found two columns with non standard settings in the content database. In the AllList table the columns called tp_readsecurity and tp_writesecurity, for the “User Information List” have the values set to 2 & 4 respectively. The default value for both columns is 1.
Tp_readsecurity
Value="1">read all items
Value="2">read only my items
Value="4">read none
Tp_writesecurity
Value="1”>write all items
Value="2">write only my items
Value="4">write none
The value 2 for tp_readsecurity will only allow a user to read their own items. So reading the items does not occur because it is trying to read the items in the “user Information list” that are not their own. The value 4 for tp_writesecurity does not allow write to this list so you will not be able to add users. Since they have not or cannot be added into the list, there was an exception being thrown and this is the reason for the 403 Forbidden.
RESOLUTION/WORKAROUND:
===========================
1. Open the site you are having trouble with, but make sure you open the site
with site collection admin/owner rights.
2. Browse to the URL:
http://portal/sites/site/_layouts/advsetng.aspx?list={GUID}
3. This List ID will vary.
4. You can also get to this list by Browsing to the root of your site, Site
Actions> Site Settings> Advanced Permissions> Click on the All People link
in qiuck launch> Then select List Settings, then Advanced Settings
5. This method will also get you to the above URL and probably easier than
having to poke thru the DB to find the GUID of that list.
6. Change the Read Access Value to “All Items”
7. Change the Edit Access to “All Items”
7. This will modify those values in the database back to 1 and 1
8. Authenticated Users should now be able to access the site.
I hope the above information will helps you to resolve this issue !! Thanks !!!