I was recently working within a SharePoint 2010 Intranet environment where there was widespread use of the ‘Content Query Web Part’ across multiple site collections. And to facilitate and enhance the performance of the CQWP, the SharePoint ‘Object Cache’ model was introduced.
The CQWP leverages cross-list query caching to improve its response time and efficiency as no round-trip call to SQL is required and by default, two OOTB system accounts are used to cache queries. As a best practice, the recommended approach is to run these two accounts (Super User & Super Reader) under the context of a domain user account and this policy was adhered. (so far, so good)
However, these two domain accounts were configured to run as SharePoint ‘Managed Accounts’ (not at all necessary), and recently, to comply with a security password policy, their passwords were changed (by SharePoint). No visibility was required to their new passwords, but somehow (and more like someone), in their wisdom decided to remove both accounts from the User Policy of the Web Application which hosts the Intranet platform. The end result, a number of http 403 errors when users tried to edit any SharePoint list items:
The http 403 wasn’t helpful in the slightest, although what we found in the ULS provided us with a good troubleshooting starting point……
/home/department/management: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), stack trace: at Microsoft.SharePoint.Library.SPRequest.GetAclForCurrentWeb(String bstrWebUrl, Boolean fRequirePermissionCheck, Object& pvarRawAcl, UInt64& lAnonymousMask) at Microsoft.SharePoint.SPReusableAcl..ctor(SPWeb web, Boolean requirePermissionCheck) at Microsoft.SharePoint.SPWeb.GetReusableAcl(Boolean requirePermissionCheck) at Microsoft.SharePoint.Publishing.AclCache.AddAclIfNecessary(Guid scopeId, SPSecurableObject o) at Microsoft.SharePoint.Publishing.CachedArea..ctor(PublishingWeb area, String id, String parentId, CachedUserResource title, String url, CachedUserR… 2866034f-1c05-4f35-bac2-655847b2ebbd
Once we added Object Cache Super Users back to the policy of the Web Application, all of the list items were not responding and the panic was over. Now the witch-hunt could begin….