HTTP 403 Forbidden error when try browse to a SharePoint web app

Received the following error when browse to a SharePoint web app

The website declined to show this webpage
HTTP 403
Most likely causes:
This website requires you to log in.

http-403

if we create a copy of the web.config file, rename the web.config file, refresh the home page, we receive an "HTTP 404 – Page Not Found" error.

Rename the web.config file back and refresh the page. The site is browse able for a while before failing after some time, We see the following error in Failed Request Tracing

filed-request-tracing

A procmon trace captured while accessing the web app from the server showed the following:

w3wp.exe 4180 CreateFile

C:\inetpub\wwwroot\wss\VirtualDirectories\Web80.Contoso.com80\bin ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: NT AUTHORITY\IUSR

tcs-view

This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process.

This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.

Resolution

The solution is to ensure that the Authenticated Users or \Users group (which usually contains DOMAIN\Users group) has Read & Execute, List Folder Contents and Read permissions on the /BIN folder below

C:\inetpub\wwwroot\wss\VirtualDirectories\{Sitename80}.

Follow the steps below to grant the required permissions:

a. Open Windows Explorer and navigate to the /bin directory of your web application
b. Right-click on the folder and click on Properties
c. Go to Security tab and click on Edit
d. Click on Add and add the local server group Authenticated Users or \Users (this usually contains DOMAIN\Users group).
e. Select the Read & Execute, List Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only)
f. Click OK to apply the new settings
g. Refresh the page and we should be able to browse to the site.

More Information

If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.

The freb trace shows a 403.0 for ManagedPipelineHandler

It seems to go through quite a few ASPNet events – but happens during the ASPNetPageRender – it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.

Application pool in Classic or Integrated mode

Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.

Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler.

 

Advertisements
Advertisements
Advertisements
Advertisements

Content databases contain orphaned Apps SharePoint 2013

SharePoint Health Analyzer rule “Content databases contain orphaned Apps.”

Some situation content database may become corrupted. The corrupted database may contain orphaned apps. Orphaned apps are not accessible, which causes unnecessary resource and license consumption and may result in failures in SharePoint upgrade.

Solution:

Remove app for SharePoint instances from a SharePoint 2013 site.

A user must have the Manage Web site permission to remove an app for SharePoint. By default, this permission is only available to users with the Full Control permission level or who are in the site Owners group.

To remove an app from a SharePoint site

  1. Verify that the user account that is performing this procedure is a member of the Site owners group.
  2. On the site, on the Settings menu, click View Site Contents.
    In the Apps section, point to the app that you want to remove, click …, and then 3. click Remove.
  3. Click OK to confirm that you want to remove the app.

To remove an app by using Windows PowerShell

Verify that you have the following memberships:

a. securityadmin fixed server role on the SQL Server instance.
b. db_owner fixed database role on all databases that are to be updated.
c. Administrators group on the server on which you are running the Windows PowerShell cmdlets.
d. Site Owners group on the site collection to which you want to install the app.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 15 Products cmdlets.

On the Start screen, click SharePoint 2013 Management Shell.

type the following commands, and press ENTER after each one:

$instances = Get-SPAppInstance -Web
#Gets all apps installed to the subsite you specify.

$instance = $instances | where {$_.Title -eq ”}
#Sets the $instance variable to the app with the title you supply.

Uninstall-SPAppInstance -Identity $instance
#Uninstalls the app from the subsite.

is the path site collection or subsite that contains the app.
is the title of the app you want to remove.

At the question “Are you sure you want to perform this action?”,
type Y to uninstall the app.

Locate and remove app instances in all locations

An app for SharePoint in the App Catalog is available for users to install.Users can install apps for SharePoint on many sites.

Below two Windows PowerShell scripts can be used to find all locations for a specific app and then uninstall all instances from every location.

First script to locate all instances of a specific app in a SharePoint environment. Then use the second script to uninstall all instances of the app from the SharePoint environment.

To locate specific apps by using Windows PowerShell (save as script and run script)

Verify that you have the following memberships:

a. securityadmin fixed server role on the SQL Server instance.
b. db_owner fixed database role on all databases that are to be updated.
c. Administrators group on the server on which you are running Windows PowerShell cmdlets.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets

1. save the below script as “Get-AppInstances.ps1”

This Windows PowerShell script gets all app instances from your SharePoint 2013 farm for a specified App ID on a specified web application. You specify the App ID and the web application URL and the script will remove all of the instances of the App for all webs in that web application.

param(
[Parameter(Mandatory=$true)] [Guid] $productId,
[Parameter(Mandatory=$true)] [String] $webAppUrl
)

function GetAllInstances($productId = $null, $webAppUrl = $null)
{
$outAppName = “”;
$sites = Get-SPSite -WebApplication $webAppUrl
$outWebs = @()
foreach($site in $sites){
if($site.AdministrationSiteType -ne “None”){
continue;
}
$webs = Get-SPWeb -site $site
foreach($web in $webs) {
$appinstances = Get-SPAppInstance -Web $web
foreach($instance in $appinstances) {
if($productId -eq $instance.App.ProductId) {
if ($outAppName -eq “”) {
$outAppName = $instance.Title;
}
$outWebs += $web;
}
}
}
}
return ($outAppName,$outWebs)
}
Write-Host “This script will search all the sites in the webAppUrl for installed instances of the App.”
$confirm = Read-Host “This can take a while. Proceed? (y/n)”
if($confirm -ne “y”){
Exit
}

$global:appName = $null;
$global:webs = $null;

{
$returnvalue = GetAllInstances -productId $productId -webAppUrl $webAppUrl;
$global:appName = $returnvalue[0];
$global:webs = $returnvalue[1];
}
);

$count = $global:webs.Count;
if($count -gt 0){
Write-Host “App Name:” $global:appName;
Write-Host “Product Id: $productId”;
Write-Host “Number of instances: $count”;
Write-Host “”;
Write-Host “Urls:”;

foreach($web in $global:webs) {
Write-Host $web.Url;
}
}
else {
Write-Host “No instances of the App with Product Id $productId found.”;
}
return;

  1. Now Open “SharePoint 2013 Management Shell”
  2. Change to the directory where you saved the file.

  3. At the Windows PowerShell command prompt, type the following command:

./ Get-AppInstances.ps1 -productId -webAppUrl

is the GUID ID of the App
and is the full URL of the web application.

To uninstall specific apps from all locations by using Windows PowerShell (save as script and run script)

1. Verify that you have the following memberships:

a. securityadmin fixed server role on the SQL Server instance.
b. db_owner fixed database role on all databases that are to be updated.
c. Administrators group on the server on which you are running Windows PowerShell cmdlets.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets

2. save the below script as “Remove-App.ps1”

This Windows PowerShell script removes all app instances from your SharePoint 2013 farm for a specified App ID on a specified web application. You specify the App ID and the web application URL and the script will remove all of the instances of the App for all webs in that web application.

param(
[Parameter(Mandatory=$true)] [Guid] $productId,
[Parameter(Mandatory=$true)] [String] $webAppUrl
)

function RemoveInstances($productId = $null, $webAppUrl = $null)
{
$outAppName = “”;
$sites = Get-SPSite -WebApplication $webAppUrl
$outWebs = @()
foreach($site in $sites){
if($site.AdministrationSiteType -ne “None”){
continue;
}
$webs = Get-SPWeb -site $site
foreach($web in $webs) {
$appinstances = Get-SPAppInstance -Web $web
foreach($instance in $appinstances) {
if($productId -eq $instance.App.ProductId) {
if ($outAppName -eq “”) {
$outAppName = $instance.Title;
}
$outWebs += $web;
Write-Host “Uninstalling from” $web.Url;
Uninstall-SPAppInstance -Identity $instance -confirm:$false
}
}
}
}
return ($outAppName,$outWebs)
}

$confirm = Read-Host “This will uninstall all instances of the App and is irreversible. Proceed? (y/n)”
if($confirm -ne “y”){
Exit
}

$global:appName = $null;
$global:webs = $null;

{
$returnvalue = RemoveInstances -productId $productId -webAppUrl $webAppUrl;
$global:appName = $returnvalue[0];
$global:webs = $returnvalue[1];
}
);

$count = $global:webs.Count;
if($count -gt 0){
Write-Host “All the instances of the following App have been uninstalled:”;
Write-Host “App Name:” $global:appName;
Write-Host “Product Id: $productId”;
Write-Host “Number of instances: $count”;
Write-Host “”;
Write-Host “Urls:”;

foreach($web in $global:webs) {
Write-Host $web.Url;
}
}
else {
Write-Host “No instances of the App with Product Id $productId found.”;
}
return;

  1. Open SharePoint 2013 Management Shell
  • Change to the directory where you saved the file.

  • At the Windows PowerShell command prompt, type the following command:

  • ./ Remove-App.ps1 -productId -webAppUrl

    is the GUID ID of the App
    is the full URL of the web application.

    If the issue still persists like as below

    If you have an orphaned app in the initialized state on a site and you delete the site, Health Analyzer reports that there’s an error and the auto-fix doesn’t work.”

    Apply CU November 2016 which will 100% resolve the issue

    SharePoint Server 2013 (KB3127933)
    SharePoint Foundation 2013 (KB3127930)