Search Crawl Log Error – Access is denied

Scenario:

Crawl History shows 0 successes and a bunch of security errors.

The following error is logged in the Error Breakdown:

“Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository.”

Possible Solution:

Check your hosts file. In my case, host headers had been commented out for testing and never changed back.

 

Copy Missing Objects From One Content Database to Another

I recently applied a cumulative update to a SharePoint environment that hadn’t been patched in years. When I tried to upgrade the main production content database, the process failed and rendered the site inaccessible. The errors logs mentioned invalid objects such as “Webs” and “Sites”, and upon further troubleshooting we learned that because of permission issues, the content database was missing critical views and procedures due to one of the updates rolled up into the cumulative update.

NOTE: I’d like to take a moment to stress the importance of backups. CONFIRM THAT YOU HAVE A HEALTHY BACKUP BEFORE PERFORMING MAINTENANCE. EVERY. SINGLE. TIME! Thank you.

Even though we corrected the permission issues, no matter what we tried we could not re-run the upgrade to fix the problem. Instead, we had to copy those missing objects and views from the sandbox content database to prod, and cross our fingers it would work. (spoiler: it did)

  1. Right click your healthy database > Tasks > Generate Scripts…
  2. In the Choose Objects prompt, select the objects you would like to copy. In our case we copied Views and Stored Procedures.
  3. Click Next
  4. Select “Save to new query window”
  5. Next > Next > Finish
  6. Change the database in the query to the database that’s missing objects
  7. Execute
  8. Browse the site to confirm content
  9. Drink

Custom XSL Web Part Error – Access Denied

Scenario:

I created a custom XSL style sheet for a library web part that would intermittently throw an error for everyone except the admin account (me).

Every morning users were complaining about an error on the web part. I would sign in and try to replicate, but it always worked for me. Then when I’d ask the user to refresh their page and miraculously the error would go away.

Error

ULS logs contained the following information:

SPSecurityContext: Could not retrieve a valid windows identity for username ‘domain\user’ with UPN ‘user@domain.local’. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied Server stack trace:
 at System.ServiceModel.Channels.AppContainerInfo.GetCurrentProcessToken()
 at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()
 at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()
 at System.ServiceModel.Channels.PipeSharedMemory.BuildPipeName(String pipeGuid)
 at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()
 at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)
 at System.ServiceModel.Channels.NamedPipeConnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)
 at System.ServiceModel.Channels.CommunicationPool`2.TakeConnection(EndpointAddress address, Uri via, TimeSpan timeout, TKey& key)
 at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
 at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
 at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
 at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
 at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
 at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
 at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
 at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
 at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
 at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
 at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
 at [0]:
 at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
 at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
 at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
 at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
 at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().
No windows identity for “domain\user”.

Root cause:

The SharePoint site’s application pool was configured to recycle every morning at 3:00 AM. This would clear cached authentication, and due to permissions, the XSL style sheet could not be accessed until the administrator logged in.

In addition, according to Hemendra’s response in this post, this can also be caused by an anonymous cache bug.

Solution:

Option 1: Remove auto-recycle settings on the application pool. (The error will re-appear if the site is manually recycled or the server reboots.)

Option 2 (recommended): Create two separate XSL files. The first file will be attached to the web part and, using the xsl:import element, will reference a second XSL file that contains your view styles.

XSL File #1 – Reference.xsl (linked in the Web Part Properties):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:import href="/SiteAssets/Style.xsl"/>

<xsl:template match="/">
<xsl:apply-imports/>
</xsl:template>

</xsl:stylesheet>

xsllink

XSL File #2 – Style.xsl (contains view styles):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/">
<html>
<body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th>Title</th>
<th>Artist</th>
</tr>
<tr>
<td><xsl:value-of select="catalog/cd/title"/></td>
<td><xsl:value-of select="catalog/cd/artist"/></td>
</tr>
</table>
</body>
</html>
</xsl:template>

</xsl:stylesheet>

NOTE: Save your XSL files in a library where Everyone has at least Read permissions.

Unlock Documents With PowerShell

One of my users was constantly getting locked out of his own documents. Upon saving a document, he would receive the following error:

The file “filename” is locked for exclusive (or shared) use by “his username””

The issue was that his user only had “contribute” permissions. While that should be enough, he needed “edit” permissions to avoid locking his own documents.

While troubleshooting, I used a PowerShell script that unlocks documents that are locked for shared use.


Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue

#Variables for Web and File URLs
$WebURL ="http://twainstlportal.twainfinancial.com/sites/crmdocs/BD"
$FileURL = "http://sp2013/sites/company/filename.docx"

#Get Web and File Objects
$web = Get-SPWeb $WebURL
$File = $web.GetFile($FileURL)

#Check if File is Checked-out
if ($File.CheckOutType -ne "None")
{
Write-host "File is Checked Out to user: " $File.CheckedOutByUser.LoginName
Write-host "Checked Out Type: " $File.CheckOutType
Write-host "Checked Out On: " $File.CheckedOutDate

#To release from checkout, ask the checked out user to check in
#$File.Checkin("Checked in by Administrator")
#Write-host "File has been Checked-In"
}

#Check if File is locked
if ($File.LockId -ne $null)
{
Write-host "File is Loked out by:" $File.LockedByUser.LoginName
Write-host "File Lock Type: "$file.LockType
Write-host "File Locked On: "$file.LockedDate
Write-host "File Lock Expires on: "$file.LockExpires

#To Release the lock, use:
#$File.ReleaseLock($File.LockId)
#Write-host "Released the lock!"
}

Change the filename to the URL of the locked document. Uncomment line 32 and 33 to unlock the document.