HTTP 403 Forbidden error when try browse to a SharePoint web app

Received the following error when browse to a SharePoint web app

The website declined to show this webpage
HTTP 403
Most likely causes:
This website requires you to log in.

http-403

if we create a copy of the web.config file, rename the web.config file, refresh the home page, we receive an “HTTP 404 – Page Not Found” error.

Rename the web.config file back and refresh the page. The site is browse able for a while before failing after some time, We see the following error in Failed Request Tracing

filed-request-tracing

A procmon trace captured while accessing the web app from the server showed the following:

w3wp.exe 4180 CreateFile

C:\inetpub\wwwroot\wss\VirtualDirectories\Web80.Contoso.com80\bin ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: NT AUTHORITY\IUSR

tcs-view

This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process.

This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.

Resolution

The solution is to ensure that the Authenticated Users or \Users group (which usually contains DOMAIN\Users group) has Read & Execute, List Folder Contents and Read permissions on the /BIN folder below

C:\inetpub\wwwroot\wss\VirtualDirectories{Sitename80}.

Follow the steps below to grant the required permissions:

a. Open Windows Explorer and navigate to the /bin directory of your web application
b. Right-click on the folder and click on Properties
c. Go to Security tab and click on Edit
d. Click on Add and add the local server group Authenticated Users or \Users (this usually contains DOMAIN\Users group).
e. Select the Read & Execute, List Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only)
f. Click OK to apply the new settings
g. Refresh the page and we should be able to browse to the site.

More Information

If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.

The freb trace shows a 403.0 for ManagedPipelineHandler

It seems to go through quite a few ASPNet events – but happens during the ASPNetPageRender – it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.

Application pool in Classic or Integrated mode

Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.

Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler.

Accounts used to install and configure SharePoint 2013

Account Purpose Requirements
SQL Server service account The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:  MSSQLSERVER  SQLSERVERAGENT   If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:  MSSQL  SQLAgent Use either a Local System account or a domain user account. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (). The instance name is arbitrary and was created when SQL Server was installed.
Setup user account The Setup user account is used to run the following:  Setup  SharePoint Products Configuration Wizard  Domain user account.  Member of the Administrators group on each server on which Setup is run.  SQL Server login on the computer that runs SQL Server.  Member of the following SQL Server roles:  securityadmin fixed server role  dbcreator fixed server role   If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_ownerfixed database role for the database.
Server farm account or database access account The server farm account is used to perform the following tasks:  Configure and manage the server farm.  Act as the application pool identity for the SharePoint Central Administration Web site.  Run the Microsoft SharePoint Foundation Workflow Timer Service.  Domain user account.   Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:  dbcreator fixed server role  securityadmin fixed server role  db_owner fixed database role for all SharePoint databases in the server farm
Sorry we could’t follow the document or site sharepoint 2013

Sorry we could’t follow the document or site sharepoint 2013

Problem

Now what this is really about and the reason why you stopped at this post. SharePoint 2013 gives an error when you hit the ‘Follow‘ button with the next message: Something went wrong.

Sorry we could’t follow the document or site sharepoint 2013

Sorry we could’t follow the document or site sharepoint 2013

In this example I tried to follow a document in a library.

Cause

This pop-up doesn’t provide a lot of information. except that it’s not working. The next step is to check the good old SharePoint logs at the ‘15 Hive‘ location: C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15LOGS

Analyzing the log file shows that there is a problem opening the content database hosting the users
My Sites. Now it starts to get interesting. reading further down the logs shows the name of the user account that has failed to login. (search the term ‘for Cannot open database’)

Sorry we could’t follow the document or site sharepoint 2013

Sorry we could’t follow the document or site sharepoint 2013

The cause of this problem is that the Application Pool Account has no access to the database. This is most probably caused by the service accounts that are used for the SharePoint default web application and the My Sites web application.

This can easily be checked with a PowerShell script :

Add-WindowsFeature Web-WMI | Format-List
Get-CimInstance -Namespace root/MicrosoftIISv2 -ClassName IIsApplicationPoolSetting -Property Name, WAMUserName, WAMUserPass | select Name, WAMUserName, WAMUserPass

powershell app pool account

powershell app pool account

Solution:

This is what you’ve all been waiting for! How do I solve this annoying issue.
Well the resolution is pretty easy. You have to go to the database server and give the Application Pool Account access to the needed database.

Open your SQL server and correct instance and select the user that you’ve found in the SharePoint log. In my case this was the user: ‘TESTSP_WebApps

Go to the Security – Logins node and right-click on the user that you found earlier in the SP Logs and select properties.

Sorry we could’t follow the document or site sharepoint 2013

Sorry we could’t follow the document or site sharepoint 2013

Now select the ‘User Mapping‘ node and select the My Sites content database.
Also select the ‘SPDataAccess‘ and hit the OK button.

SQL login properties user maping settings

SQL login properties user maping settings

Close the SQL Server and go back to your SharePoint site.

Your set to go and ready to follow documents, Libraries, Sites, etc.

filename invalid too long specify different name excel sharepoint

File name you have received is either invalid or too long excel sharepoint2013

I have just created a new web application and site collection in SharePoint 2013.  With a large number of documents to place into a Document Library I thought it would be easier to copy and paste them using Windows Explorer, so I opened the document library and click Open with Explorer.

The filename you’ve specified is either invalid or too long Specify a different filename.

filename invalid too long specify different name excel sharepoint

filename invalid too long specify different name excel sharepoint

As a test I tried to upload a single file using the browser but this generated the following error:

Sorry, something went wrong.The URL ‘Shared documents/Project budget.xlsx’ is invalid.

something went wrong url invalid

something went wrong url invalid

The filename isn’t very long at all, including the full path, so I found this quite strange.  I immediately started looking through the ULS logs and the following entry caught my eye, which was logged at the same time I tried to upload the files:

Exception thrown storing stream in new SqlRemoteBlob: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> Microsoft.Data.SqlRemoteBlobs.BlobStoreException: There was a generic database error. For more information, see the included exception. —> System.Data.SqlClient.SqlException: RBS Error. Original Error: Number 297, Severity 16, State 1, Procedure rbs_fs_sp_check_pool_size, Line 31, Message: The user does not have permission to perform this action.  Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.     at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

I do have RBS (Remote Blob Storage) enabled for this content database so it appears that this has got messed up somehow.  After reading various other blog posts and TechNet articles I began some trial and error with the database permissions.  The only way I found to solve this was to grant the service account used by the application pool db_owner rights on the content database, in addition to the db_rbs_* permissions.

SP portal AppPool Permissions

SP portal AppPool Permissions

The original error about the filename being too long or invalid is very misleading, there is no hint of a permissions issue until digging into the ULS logs.

Something went wrong error after enabling RBS sharepoint2013

I have just configured and enabled RBS for my SharePoint 2013 environment and now when I try to access the site I get the following error message:

Sorry, something went wrong Something went wrong error after enabling RBS sharepoint

Cannot complete this action.

Please try again.

Yet another fine example of unhelpful error messages from Microsoft!  Well, a quick check of the Event Log revealed nothing so I moved on to the ULS log.  Just before the error was generated the following lines were recorded in the log

System.Data.SqlClient.SqlException (0×80131904): The EXECUTE permission was denied on the object ‘rbs_fn_get_blob_reference’, database ‘WEBBWORLD_Content_Portal’, schema ‘mssqlrbs’.

SQL error code from last error 229 – The EXECUTE permission was denied on the object ‘rbs_fn_get_blob_reference’, database ‘WEBBWORLD_Content_Portal’, schema ‘mssqlrbs’.

Clearly the problem was down to permissions.  After a bit of trial and error I discovered that the fix was to grant the following permissions to the Application Pool account on the content database:

  • db_rbs_admin
  • db_rbs_filestream_maintaner_1
  • db_rbs_filestream_reader_1
  • db_rbs_filestream_writer_1
  • db_rbs_maintainer
  • db_rbs_reader
  • db_rbs_writer