Anything for sysadmins!


Access denied in SharePoint 2010

Recently I did an update run on my SharePoint 2010 farm and I fixed some errors that were showing in the event log. This resulted in one specific error that resulted in an Access Denied on one of the sub-sites. The permissions weren't changed and even the Site Collection Administrator account was denied access. Here's what the solution was.

One of the errors that I tried to fix was setting the portal super reader account for proper caching. Unfortunately I didn't take the time to actually read up on it and I just entered an account that "should" work.

This resulted in an error in ULS about the Navigation not being able to be properly accessed. This was directly related to the access denied error. Seems like setting the account wasn't such a good idea. So I reset the property which instantly fixed the problem.

To find out how to properly set the "portal super reader account" and also the "portal super user account" visit the link below:


Scheduling the Update-SPProfilePhotoStore command

When you setup your SharePoint 2010 User Profile Service to import the user's pictures from Active Directory you will have to run the Update-SPProfilePhotoStore command. Of course you don't want to do this manually every time so you'll need to schedule it on the SharePoint servers in your farm.

The best place to schedule this is on the Central Administration server.

  1. Open the Task Scheduler and click Create Task…
  2. Enter a name and select an account with enough permissions, in my case the SharePoint Farm account and check Run whether user is logged on or not
  3. Click the Triggers tab and click New. Select a schedule that makes sense to you. I'm sticking to my User Profiles Service Synchronization task schedule.
  4. Click the Actions tab and click New.
    In the Add
    arguments box enter:

    -NonInteractive -NoProfile -Command "& {Add-PSSnapin Microsoft.SharePoint.PowerShell;Update-SPProfilePhotoStore -MySiteHostLocation https://<MysiteHostLocation> -CreateThumbnailsForImportedPhotos 1}"

  5. Click OK and enter the required password

This should start the task every hour and import the Active Directory image right into the User Profile Service which also resizes the images in 3 formats.


PowerPoint Web App encountered an error

The reason behind this error definitely makes it into my top 10 of mistakes! I'm still not sure who's mistake it was, mine or Microsoft's, but I'm assuming that it's mine to be on the safe side.

The error message "PowerPoint Web App encountered an error. Please try again." doesn't really tell you where to look, but it's quite clear that you should start at the web application and check if it's operating properly. My problem was that the PowerPoint Service Application actually was a Word Viewing Service Application. It's easy enough to fix by deleting it and recreating it, however here are some other approaches that you might find useful.

  1. Open the Central Administration
  2. Go to Application Management and select Manage service applications in the Service Applications section
  3. Locate the PowerPoint Service Application
    1. If you have one that is actually a PowerPoint Service Application, remove it an recreate it
    2. If you can't find one, create it.
  4. Go back to the Application Management page and select Configure service application associations
  5. Make sure that the Web application that you're getting the error on has a PowerPoint Service Application Proxy in its Application Proxy Group
  6. Go back to the Application Management page and select Manage services on server
  7. Make sure that there's a PowerPoint Service with the status Started on the server that you're getting the error on

If it's still not fixed, you can comment below and I'll get back to you with the solution as soon as possible!


Setting up SharePoint Claims Based Authentication with Azure

I ran into a couple of good articles on setting up Claims Based Authentication on SharePoint 2010 using Azure. In these pages Mike Hacker runs you through all the settings in the Azure ACS panel and SharePoint 2010.

Part 1:


The only problem I found after following these guides was that the logon token cache expiration window expired way too fast. To solve this you'll have to set the LogonTokenCacheExpirationWindow to 1 minute instead of 10.

  1. Open the SharePoint 2010 Management Shell and run the commands below
  2. $StsC = Get-SPSecurityTokenServiceConfig
  3. $StsC.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes 1)
  4. $StsC.Update()
  5. iisreset

Sharepoint Search Service: Access is denied

When I was working on getting the search working on my SharePoint 2010 Farm I ran into 2 problems. Both problems caused the same error:

Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled.

This is quite a clear error, but there might be a couple of solutions that are less obvious.

Solution 1

Disable loopback check.

  1. Click Start, click Run, type regedit, and then click OK
  2. In Registry Editor, locate and then click the following registry key:
  3. Right-click Lsa, point to New, and then click DWORD Value
  4. Type DisableLoopbackCheck, and then press ENTER
  5. Right-click DisableLoopbackCheck, and then click Modify
  6. In the Value data box, type 1, and then click OK
  7. Quit Registry Editor, and then restart your computer

Solution 2

Specifically when you're crawling the people search (sps). Make sure that the default content access account (crawl account) has access to the User Profile Service

  1. Open the Central Administration and go to Application Management
  2. Click Manage service application in the Service Application section
  3. Select the User Profile Service Application and click on Administrators
  4. Add your content access account and give it the Retrieve People Data for Search Crawlers permission

Hope this helps you!


Event 5555 – No User Profile Application available to service the request

I was troubleshooting some problems with the User Profiles Service of SharePoint 2010 and I ran into event ID 5555. The error seems to be reoccurring every day around 6:11 AM.

Failure trying to synch web application e888f5cd-9e4b-4396-a693-2e81ba156b0b, ContentDB 33167fc6-5268-4acc-aac2-f4b2aaf789f7 Exception message was Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application available to service the request. Contact your farm administrator.
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PerfmonInstanceHandle()
at Microsoft.Office.Server.UserProfiles.ContentDBSynchronizer..ctor(ELogType logType, SPContentDatabase cdb, SPJobState jobState)
at Microsoft.Office.Server.UserProfiles.WSSProfileSyncJob.Execute()

This error occurs as it's colliding with another job that's running at that time. The fix is quite easy, change the job time so it doesn't collide.

  1. Log into the SharePoint 2010 Central Administration
  2. Click Monitoring
  3. Click Review Job Definitions
  4. Go to the second page click on the Timer Service Recycle
  5. Change the start time and the no later than time to 6:30 PM
  6. Click OK

It's smart to check the event viewer the next day to make sure that the problem has been resolved.


Event 6398 – Microsoft.SharePoint.Administration.SPSqmTimerJobDefinition exception

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 6398
Task Category: Timer
Level: Critical
User: domain.local\spfarm
Computer: server.domain.local
The Execute method of job definition Microsoft.SharePoint.Administration.SPSqmTimerJobDefinition (ID d470d42a-3a3e-46c2-8c54-98a33d11bec7) threw an exception. More information is included below.
Data is Null. This method or property cannot be called on Null values.

This error is obviously caused by the SharePoint Timer Service. This job doesn't run properly because the data is Null. To find the cause of the error you'll first have to find the Time Job that is causing it. In my case it was the CEIP Data Collection (Customer Experience Improvement Program).

  1. Go to the SharePoint Central Administration
  2. Click Monitoring
  3. Then click Review job definitions in the Timer Jobs section
  4. Find the Job that is causing the exception by hovering over the links and checking the GUID in there
  5. Click the job and click Disable

The error should now be gone!


SharePoint 2010 Trusted Identity Token Issuer Error

I was setting up SharePoint to use Federated Authentication using Azure Access Control Service (ACS) when it ran into an error. After checking the SharePoint logs I ran into the following lines:

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     eu2n    Monitorable    Trusted login provider 'Public Account' is not sending configured input identity claim type ''    

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Monitoring     b4ly    High     Leaving Monitored Scope (SPSecurityTokenService.GetTokenLifetime()). Execution Time=125,240686737495    

07/15/2011 10:23:36.56     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest() at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityT...    

07/15/2011 10:23:36.56*    w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...oken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

Also the event viewer returned the following error:

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Date: 15-7-2011 10:23:36

Event ID: 8306

Task Category: Claims Authentication

Level: Error


User: DOMAIN\user

Computer: sharepoint.domain.local


An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..

Quite obviously when I select Windows Live ID it doesn't return the expected type of claim; namely


In Azure ACS you can set what type of data is retrieved and also what type it returns. The Windows Live ID Identity Provider doesn't support email address as a claim type, however you can map the only available input claim type to any other type that you use to validated the incoming claim in SharePoint.

My SharePoint environment is setup to allow validation through emailaddress. I'll have to map the '' claim type to the '' claim type as shown below.

  1. Navigate to your Azure ACS URL (https://<ServiceNamespace>
  2. Click Rule groups
  3. Click the Rule group that is used by your SharePoint environment
  4. Click on the only entry with Windows Live ID as Claim Issuer
  5. Check Select Type in the Then section and select the proper claim type ( that SharePoint is expecting
  6. Click Save and check the results

Now try to log in to your SharePoint environment with the Windows Live ID and it should work flawlessly.

One thing to note is that the login name is an odd string of characters instead of a nicely structured email address. Unfortunately there is no way of getting a nice looking login name using Windows Live ID as there is no other option than returning the nameidentifier. This seems kind of odd since it's a Microsoft product and the most restricted Identity provider is also from Microsoft. I hope that Microsoft will add other options soon.


Token Signing Certificate: The Root Certificate is invalid

When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.

The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.

  1. Import the certificate into the Windows Certificate Store. Specifically the Personal store
  2. Start a SharePoint 2010 Management Shell session
  3. Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
    dir cert:\CurrentUser\My


  4. Run the following commands:
     $Cert = Get-Item("cert:\CurrentUser\My\" + "&lt;thumbprint&gt;".Replace(" ", "").ToUpper())
    New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert

The certificate should now be imported and the trust should be visible in the Central Administration.


Enable Claims based authentication on an existing web application

When you provision a web application in SharePoint 2010 you get the option to enable Claims based authentication. However, after the provisioning there's no option in the GUI to turn it on. PowerShell saves the day again with the option to change from classic to claims based authentication using the lines below.

$WebApp = Get-SPWebApplication "http://site:80"
$WebApp.UserClaimsAuthentication = "True"

The user running these command should be a member of the SharePoint_Shell_Access role on the config DB, and a member of the WSS_ADMIN_WPG local group.

There are some cases where the web.config wasn't updated automatically with the appropriate entries to enable claims based authentication. This will then have to be done manually. To do so read step 5 from this blog post.