SharePoint throwing out HTTP 403 errors

I was recently working within a SharePoint 2010 Intranet environment where there was widespread use of the ‘Content Query Web Part’ across multiple site collections. And to facilitate and enhance the performance of the CQWP, the SharePoint ‘Object Cache’ model was introduced.

The CQWP leverages cross-list query caching to improve its response time and efficiency as no round-trip call to SQL is required and by default, two OOTB system accounts are used to cache queries. As a best practice, the recommended approach is to run these two accounts (Super User & Super Reader) under the context of a domain user account and this policy was adhered. (so far, so good)

However, these two domain accounts were configured to run as SharePoint ‘Managed Accounts’ (not at all necessary), and recently, to comply with a security password policy, their passwords were changed (by SharePoint). No visibility was required to their new passwords, but somehow (and more like someone), in their wisdom decided to remove both accounts from the User Policy of the Web Application which hosts the Intranet platform. The end result, a number of http 403 errors when users tried to edit any SharePoint list items:

The http 403 wasn’t helpful in the slightest, although what we found in the ULS provided us with a good troubleshooting starting point……

/home/department/management: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), stack trace:    at Microsoft.SharePoint.Library.SPRequest.GetAclForCurrentWeb(String bstrWebUrl, Boolean fRequirePermissionCheck, Object& pvarRawAcl, UInt64& lAnonymousMask)     at Microsoft.SharePoint.SPReusableAcl..ctor(SPWeb web, Boolean requirePermissionCheck)     at Microsoft.SharePoint.SPWeb.GetReusableAcl(Boolean requirePermissionCheck)     at Microsoft.SharePoint.Publishing.AclCache.AddAclIfNecessary(Guid scopeId, SPSecurableObject o)     at Microsoft.SharePoint.Publishing.CachedArea..ctor(PublishingWeb area, String id, String parentId, CachedUserResource title, String url, CachedUserR…    2866034f-1c05-4f35-bac2-655847b2ebbd

Once we added Object Cache Super Users back to the policy of the Web Application, all of the list items were not responding and the panic was over. Now the witch-hunt could begin….

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s