Access Denied Error On Spwebapplication.update
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Executing SPWebApplication.Update with System account throws SecurityException up vote 3 down vote favorite 2 I`m doing some web.config modifications with SPWebConfigModification class. When adding them to WebApplication and calling Update to it, it throws me SecurityException, although I run code with elevated privilages (and open new instance of SPSite) my assembly is in GAC application pool account is from *wss_admin_wpg* group and web.config file has *wss_admin_wpg* write permissins. Code SPSecurity.RunWithElevatedPrivileges(delegate() { addProviderProxy(properties); }); where addProviderProxy(SPItemEventProperties properties) using (SPSite site = new SPSite(properties.SiteId)) using (SPWeb web = site.OpenWeb()) { ensureSectionGroup(web); ... } where ensureSectionGroup(SPWeb web) SPWebApplication webApp = web.Site.WebApplication; ... webApp.Update(); <--Throws exception here Exception Details System.Security.SecurityException was caught Message="Piekļuve liegta." //(Translates to something like "Access Denied") Source="Microsoft.SharePoint" StackTrace: at Microsoft.SharePoint.Administration.SPPersistedObject.Update() at Microsoft.SharePoint.Administration.SPWebApplication.Update() at Balticovo.SharePoint.AdjustWebConfigForOutlook.ensureSectionGroup(SPWeb web) InnerException: sharepoint securityexception share|improve this question edited Sep 7 '09 at 10:24 asked Sep 7 '09 at 9:12 Janis Veinbergs 5,34432962 Could you post more information about the exception, e.g. the stack trace? –Flo Sep 7 '09 at 9:55 Edited. Take a look. Although nothing usefull there. –Janis Veinbergs Sep 7 '09 at 10:25 add a comment| 2 Answers 2 active oldest votes up vote 1 down vote accepted As the "Access Denied" error is occurring at SPPersistedObject.Update(), this obviously indicates
for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us SharePoint Questions Tags Users Badges Unanswered Ask Question _ SharePoint Stack Exchange is a question and answer site for SharePoint enthusiasts. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Unable to modify SPWebApplication properties from feature receiver - Access Denied up vote 3 down vote favorite 1 http://stackoverflow.com/questions/1388373/executing-spwebapplication-update-with-system-account-throws-securityexception The scope of the feature is Web. SPWeb site = (SPWeb)properties.Feature.Parent; site.AllowUnsafeUpdates = true; // Set the Web Application's default error page SPSite siteCollection = new SPSite(site.Url); SPWebApplication webApplication = siteCollection.WebApplication; webApplication.FileNotFoundPage = "somepage.html"; webApplication.Update(); site.AllowUnsafeUpdates = false; When it hits the line webApplication.FileNotFoundPage = "somepage.html"; I get hit with Access Denied. This code is within a RunWithElevantedPrivileges delegate. If I run similar code from a console application from Visual Studio, it works fine. How can I elevate http://sharepoint.stackexchange.com/questions/13463/unable-to-modify-spwebapplication-properties-from-feature-receiver-access-deni privileges enough to update the web application settings? I've tried scoping it at Site and Web Application to try, and they didn't work. permissions feature security event-handlers share|improve this question asked May 26 '11 at 21:47 Tim Gabrhel 1,87511443 add a comment| 3 Answers 3 active oldest votes up vote 9 down vote accepted You're seeing this because RunWithElevated runs the code under the AppPool account of the current web application, but the SPWebApplication itself is stored in the config database, which is handled by a different account (the farm account). You will have to run this Feature at Farm scope in order for it to be able to write to the config database. share|improve this answer answered May 26 '11 at 22:11 James Love 23.8k13368 Good to know there is a solution to this! :-) –Benjamin J Athawes May 26 '11 at 22:28 Thanks for the clarification James. I knew there was some sort of issue like this, but I didn't know the details. Are the only options of modifying the SPWebApplication from a console app? What about a workflow then? I imagine not. –Tim Gabrhel May 27 '11 at 13:19 Workflow would probably launch in another app identity again. If you run it as a console app, it'll use whatever context you're logged in as, and if you run as the Fa
used incorrectly. For example, it's not advisable to try and write to the web config on Web or Site feature http://www.stuartroberts.net/index.php/2013/01/08/web-config-updates/ activation as you will more than likely receive an access denied error. Even running the code with elevated permissions will not resolve this as the majority of http://www.sharepointblues.com/2010/10/22/custom-spjobdefinition-and-access-denied-error/ the time the executing application pool user will not have sufficient access to the web config file, certainly not in a production environment. The ideal place to host access denied this type of call is in a Web Application or Farm scoped feature's FeatureActivated method. Unless the farm has been locked down, this will run with the required permissions to be able to update the web config file(s). An easy way to update the configurations for all web applications hosting content is to use the access denied error following from a Farm scoped feature: SPWebService.ContentService.WebConfigModifications.Add(authorizedTypeActivity); SPWebService.ContentService.Update(true); SPWebService.ContentService.ApplyWebConfigModifications(); Or, to update a specific web application from a Web Application scoped feature: SPWebApplication webApplication = properties.Feature.Parent as SPWebApplication; SPWebService.ContentService.WebApplications[webApplication.Id].WebConfigModifications.Add(authorizedTypeActivity); SPWebService.ContentService.WebApplications[webApplication.Id].Update(true); SPWebService.ContentService.ApplyWebConfigModifications(); Share:LinkedInTwitterFacebookGoogleEmailPrint Category: Configuration, SharePoint / Tags: Configuration, SharePoint Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * Name * Email * Website Solve the maths problem shown below before posting: * 2 + two = Comment Notify me of follow-up comments by email. Notify me of new posts by email. Search for: Featured Post Charting WebPart Popular posts Export MetaData Terms Clear Designer Cache Package and Deploy a SharePoint Designer Workflow Item does not exist. It may have been deleted by another user Slow Query Duration Tags Administration Auditing CAML CAS Certification Configuration Content Types CSOM Deployment ECB Events Fields Impersonation InfoPath Information Management installation JavaScript jQuery Logging Managed Metadata Performance Policies PowerShell PropertyBag Publishing QuickTime Search security services SharePoint SharePoint De
I tried Stef's workaround by running the powershell -script he provided and got my custom timer job to install via web scoped feature's feature receiver. I think there are issues to consider though. Do we want to permanently set the RemoteAdministratorAccessDenied false or do we want to run one script to set RemoteAdministratorAccessDenied false before feature activation/deactivation and after that run another script to set it back true again? Installing custom timer job evidently is an operation where Farm Admin privileges are needed and if the activator is web- or site-scoped feature, the activation dialog (the Activate/Deactivate-buttons in ManageFeatures.aspx) is available also for users with inadequate privileges. After further investigation it seems that to activate a feature from content application's feature management UI, it is necessary to have the same application pool accounts for the content application and central admin - it seems not to be enough to be logged on to your content web app with farm admin account or with the central admin's application pool account. The behavior is a little weird but at least when I tested different scenarios, this is how it appears to be. To have same application pool account in Central Admin and content web app, however, is not recommended. Nevertheless, I needed a custom timer job to be installed from a web scoped feature because the timer job handles information per web. Therefore the name of the installed timer job is per web and properties to determine which web should be handled when timer job ticks are also added to the timer job's properties. So, I took the idea from Stef's post and used the same idea in my feature receiver and by doing so I don't have to run the powershell-script per environment before feature activation: public class MyFeatureReceiver : SPFeatureReceiver { private const string MyCustomTimerJobName = "Custom Timer Job for web: {0}"; public override void FeatureActivated(SPFeatureReceiverP