Category Archives: App

HTTP 403 Forbidden error when try browse to a SharePoint web app

Posted on by
1

Received the following error when browse to a SharePoint web app

The website declined to show this webpage
HTTP 403
Most likely causes:
This website requires you to log in.

http-403

if we create a copy of the web.config file, rename the web.config file, refresh the home page, we receive an “HTTP 404 – Page Not Found” error.

Rename the web.config file back and refresh the page. The site is browse able for a while before failing after some time, We see the following error in Failed Request Tracing

filed-request-tracing

A procmon trace captured while accessing the web app from the server showed the following:

w3wp.exe 4180 CreateFile

C:\inetpub\wwwroot\wss\VirtualDirectories\Web80.Contoso.com80\bin ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: NT AUTHORITY\IUSR

tcs-view

This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process.

This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.

Resolution

The solution is to ensure that the Authenticated Users or \Users group (which usually contains DOMAIN\Users group) has Read & Execute, List Folder Contents and Read permissions on the /BIN folder below

C:\inetpub\wwwroot\wss\VirtualDirectories{Sitename80}.

Follow the steps below to grant the required permissions:

a. Open Windows Explorer and navigate to the /bin directory of your web application
b. Right-click on the folder and click on Properties
c. Go to Security tab and click on Edit
d. Click on Add and add the local server group Authenticated Users or \Users (this usually contains DOMAIN\Users group).
e. Select the Read & Execute, List Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only)
f. Click OK to apply the new settings
g. Refresh the page and we should be able to browse to the site.

More Information

If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.

The freb trace shows a 403.0 for ManagedPipelineHandler

It seems to go through quite a few ASPNet events – but happens during the ASPNetPageRender – it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.

Application pool in Classic or Integrated mode

Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.

Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler.

 

Configure Multiple App Domain

Posted on by
Reply

Introduction

One of the feature updates of the March 2013 Public Update for SharePoint 2013 enables you to use multiple app domains in SharePoint 2013 environments with alternate access mapping or host-header web application configurations.

Microsoft introduced a new concept with SharePoint 2013 and Office 365 to extend the out of the box functionality instead of the normal approach of farm solutions now you can add apps (add ins) through Java script code or using .net and hosting apps outside SharePoint environment without need to go and deploy code into SharePoint which increase the re-usability, enhance the security and assure that SharePoint farm stability and code isolation.

To have apps working you need to configure App Domain which is a corner stone to have apps working, at some cases you will need to have more than one app domain configured so I am going through this topic in the few lines.

Why we need multiple App Domains?

  • You could use app domain on alternate access mappings or host-header web application configurations.
  •  Configure an app domain for each web application zone and use alternate access mapping and host-header web application configuration.
  •  If you could not Share same app domain because web applications are not having same application pool identity and authentication schema is not matching.

Steps to configure multiple app domain

Follow the below steps to create another app domain for specific web application taking into account that you already have a app domain and this is a new one for your host header web application.

1-    Configure the first app domain: refer to the links below to configure it if you don’t have existing app domain

2-    Open SharePoint Shell as administrator and run the following commands

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.SupportMultipleAppDomains = $true
$contentService.Update()

3-   Then do IIs reset.

4-   Created Forward Lookup Zone in DNS for another AppDomain (testdomain.mycompany.com), make sure this is new domain and differes than any     other domain you created before.
5-  Then run this command

New-SPWebApplicationAppDomain –AppDomain “testdomain.mycompany.com” –port 81 –WebApplication http://testsite.companydomain.com  [This link is external to TechNet Wiki. It will open in a new window.]

6-    Then do IIS reset.

Note: you need to use a port that is not used before.

Design Notes:

  • You cannot use IIS ports that are already being used when you configure app domains.
  • If the app domain is configured to use secure sockets layer (SSL) you must configure the app domain to use a wildcard certificate and bind the SSL to a different port from the web application SSL port.

Overall Apps is an important and interesting topic and it is the future for developing and extending functionality of SharePoint and Office 365 and it differs from case to case if you need to have one app domain on your on premise environment or more than one app domain per the design notes and benefits I presented, but I recommend if you can utilize one app domain and share it across all web application but if you have design constraints the you can add multiple web app domain knowing that this will increase the operations effort from configuring and maintaining.