It is complex, I'll trying to describe it here.
- If the user and his group have no access rights to anything on the SP site, the user will get a proper "Error:Access Denied" SharePoint page upon logon.
- If the user has some access to something through his group membership, then a. If the user is listed in the All People list, then the user can logon and use the site with no problem. b. If the user is not listed in the All People list, then the user will get a IIS 403 Error page. Back on the server, there will be an event of "A process serving application pool '[IIS app pool name]' suffered a fatal communication error with the World Wide Web Publishing Service", which indicates a crash in the IIS app pool. If the user is keen and keeps trying, he can crash the app pool frequently and eventually cause the app pool to stop and the application is down!!!
We are using forms authentication and Asp.net membership provider and role provider. It appears that when 2b is happening, SP is repeatedly (should be only once) calling membership provider GetUser method (until the fatal communication error is coming up I guess). I believe it is for the initila user profile import. When 2a is happening, the GetUser method is not called.
We can manually do things like adding the user to the Visitors group and then taking the user out of the Visitors group, which will add the user to the All People list so he will be able to log on. During the manual process, the membership provider GetUesr is also called but just once and works fine.
This problem only just started occuring recently and only in one environment (the PRODUCTION!). It was all fine and the other environments UAT and training environment both don't have this issue. We've compared the environments and checked all the obvious and couldn't find any differences that could cause this. The production has got around 110 users, which is more than the other environments but still not a lot.
Anyone out there can help?