{"id":1016,"date":"2011-02-02T14:37:54","date_gmt":"2011-02-02T13:37:54","guid":{"rendered":"http:\/\/www.itidea.nl\/?p=1016"},"modified":"2015-09-08T20:33:26","modified_gmt":"2015-09-08T18:33:26","slug":"access-denied-when-activating-a-feature","status":"publish","type":"post","link":"https:\/\/www.itidea.nl\/index.php\/access-denied-when-activating-a-feature\/","title":{"rendered":"Access denied when activating a feature"},"content":{"rendered":"

This is the title of a question posted at SharePoint Overflow <\/a>and got my attention.
\nI checked out the issue and I had a suspicion it had to do with the user not being a farm administrator. But before answering the post I had to make sure and tested it on my dev machine.<\/p>\n

I fired up Visual Studio, create a feature with a feature receiver and wrote some code in the FeatureActivated method to update the web.config file en deployed it from Visual Studio to the SharePoint environment. All went well and the web.config received the modification.<\/p>\n

To really make sure I tested this with another user (no farm administrator) by activating the feature from the browser. I received the error described in the post at SharePoint overflow:<\/p>\n

\r\n<System>\r\n\u00a0 <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" \/>\r\n\u00a0 <EventID>6615<\/EventID>\r\n\u00a0 <Version>14<\/Version>\r\n\u00a0 <Level>2<\/Level>\r\n\u00a0 <Task>10<\/Task>\r\n\u00a0 <Opcode>0<\/Opcode>\r\n\u00a0 <Keywords>0x4000000000000000<\/Keywords>\r\n\u00a0 <TimeCreated SystemTime="2011-02-02T12:43:36.717773400Z" \/>\r\n\u00a0 <EventRecordID>12679<\/EventRecordID>\r\n\u00a0 <Correlation ActivityID="{E64F5E21-D27E-46B5-99A6-1366EBD456F5}" \/>\r\n\u00a0 <Execution ProcessID="1768" ThreadID="7100" \/>\r\n\u00a0 <Channel>Application<\/Channel>\r\n\u00a0 <Computer>SP2010<\/Computer>\r\n\u00a0 <Security UserID="S-1-5-21-3420107791-3555115667-1280696338-1015" \/>\r\n<\/System>\r\n<EventData>\r\n\u00a0 <Data Name="string0">Access denied.<\/Data>\r\n<\/EventData>\r\n<\/pre>\n
and the ULS log mentioned:
\nThe SPPersistedObject, SPWebService, could not be updated because the current user is not a Farm Administrator.<\/p>\n
To really really be sure I made the user a farm administrator and tried to activate the feature from the browser: Access denied.
\nWell, this user is a Farm Administrator now, so why the error?
\nI removed the user from the Farm Administrators group because I though I did something wrong and tested the activation of the feature in the browser with the farm administrator account: Access denied.
\nOww, what’s this?
\nSuddenly it seemed broken, probably it was broken all the time, because I deployed it from Visual Studio directly and never tested it by activating the feature from the browser with this account.
\nDeploying and activating the feature from Visual Studio went well and the web.config modification was there, but as soon I activated the feature from the browser I received an Access denied message.<\/p>\n
Maybe a timerjob had to run or something, so I checked and waited for a while. Nothing changed.
\nIISReset, application pool recycle. Nothing changed.
\nRestarting the server. Nothing changed.<\/p>\n
When Googling on the ULS log message this post came up:
\nhttp:\/\/unclepaul84.blogspot.com\/2010\/06\/sppersistedobject-xxxxxxxxxxx-could-not.html<\/a><\/p>\n
It was a different matter, but the behaviour seemed to be the same.
\nA summary of that post:
\n“Upon detailed investigation of Microsoft.SharePoint.dll\u00a0 I discovered that SharePoint guys added a new security feature to all objects inheriting from SPPersistedObject in the Microsoft.SharePoint.Administration namespace. This feature explicitly disallows modification of the above stated objects from content web applications, which is where our web part is running. The error message thrown is therefore very misleading. After some more tracing through the code I found a property in SharePoint API which controls this behavior:<\/em><\/p>\n
Microsoft.SharePoint.Administration.SPWebService.ContentService.RemoteAdministratorAccessDenied<\/em>”<\/p>\n
A PowerShell script is added to that post which turns off the remote administration security.<\/p>\n
That did the trick!
\nThe feature which modified the web.config could be activated from the browser again and the Access denied messages were not occurring anymore.<\/p>\n
The ultimate test: a regular user was turned into a farm administrator and a site collection owner. This user is now also able to activate the feature from the browser to make a web.config modification.<\/p>\n
Serious considerations<\/h3>\n
There are some serious considerations on this:
\nThe Feature created was a Web scoped feature. When turning off the remote administration security this feature can be activated from any site. But when modifying web.config keys it’s the question if you want to be able to do this from any site.
\nI think Central Administration is the place to keep features like this. When deploying a feature which modifies web.config keys it’s an administration thing and not a users thing. By the way: if you’re not a farm administrator you get an Access denied message anyway when trying to activate such features if remote administration security is turned on.<\/p>\n
So I really doubt it if you have to turn off remote administration security in this example. Rather deploy the feature to the Central Administration.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is the title of a question posted at SharePoint Overflow and got my attention. I checked out the issue and I had a suspicion it had to do with the user not being a farm administrator. But before answering … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[42],"class_list":["post-1016","post","type-post","status-publish","format-standard","hentry","category-sharepoint-2010","tag-sharepoint-2010"],"_links":{"self":[{"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/posts\/1016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/comments?post=1016"}],"version-history":[{"count":6,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/posts\/1016\/revisions"}],"predecessor-version":[{"id":1020,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/posts\/1016\/revisions\/1020"}],"wp:attachment":[{"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/media?parent=1016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/categories?post=1016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itidea.nl\/index.php\/wp-json\/wp\/v2\/tags?post=1016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}