tags:

views:

849

answers:

2
+1  Q: 

Executing SPWebApplication.Update with System account throws SecurityException.

Hello.

I`m doing some web.config modifications with SPWebConfigModification class. When adding them to WebApplication and calling Update to it, it throws me SecurityException, although

  • I run code with elevated privilages (and open new instance of SPSite)
  • my assembly is in GAC
  • application pool account is from *wss_admin_wpg* group and web.config file has *wss_admin_wpg* write permissins.

Code

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    addProviderProxy(properties);
});

where addProviderProxy(SPItemEventProperties properties)

using (SPSite site = new SPSite(properties.SiteId))
using (SPWeb web = site.OpenWeb())
{
  ensureSectionGroup(web);
  ...
}

where ensureSectionGroup(SPWeb web)

  SPWebApplication webApp = web.Site.WebApplication; 
  ...
  webApp.Update(); <--Throws exception here

Exception Details

System.Security.SecurityException was caught
  Message="Piekļuve liegta." //(Translates to something like "Access Denied")
  Source="Microsoft.SharePoint"
  StackTrace:
       at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
       at Microsoft.SharePoint.Administration.SPWebApplication.Update()
       at Balticovo.SharePoint.AdjustWebConfigForOutlook.ensureSectionGroup(SPWeb web)
  InnerException:
+1  A: 

As the "Access Denied" error is occurring at SPPersistedObject.Update(), this obviously indicates that there is a problem persisting the object. This is very likely to be a permissions error writing to the SharePoint configuration database (or maybe another SP database).

If possible check the SQL logs or run a SQL Profiler trace to get more information on what account is causing the problem. Check that the account your code is running under has access to the configuration database.

Update:

You can give permission to the configuration database by adding the user to the Farm Administrator's group. This gives them db_owner permission on that database which isn't ideal as that means the account can do anything. However there is no other way (that I know of) that can give access to this database.

If this is a major concern, you could change the permissions yourself via SQL Server Management Studio. Ideally use SQL Profiler and devise a new role that gives just the permissions required. Alternatively try adding the account to the WSS_Content_Application_Pools role and/or the data_reader and data_writer roles.

Alex Angas  2009-09-07 11:49:50
Yes, turns out that SPPersistedObject writes to configuration database and solved this by adding Application Pool account to Farm Administrators (Central Administration > Operations > Update farm administrator's group)Not sure how good it is from security standpoint. Maybe someone can comment on this?
Janis Veinbergs  2009-09-07 11:51:58
@Janis Veinbergs: Added some info on this. Hopefully someone else can give more.
Alex Angas  2009-09-07 12:29:08
A: 

Try running this in a PowerShell script, then retry your update:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.RemoteAdministratorAccessDenied = $false
$contentService.Update()

I'm still getting the hang of 2010 permissions, so take it for what it's worth. According to Paul Kotlyar, that'll help.

Scott M  2010-10-29 01:29:35

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?