John Socha-Leialoha's Blog: SharePoint Access Denied on SPWebApplication

About Me

Location: Bellevue, Washington, United States

I've had some people bug me about adding a bio to my profile, so here goes. For those of you who have been around the computer industry for a while, my claim-to-fame is that I was the author of the Norton Commander, which did very well. I've also written a number of computer books, including Peter Norton's Assembly Language Book (also anchient history). I've continued to work in the computer industry in lots of different areas because it's just too much fun.

Tuesday, March 10, 2009

SharePoint Access Denied on SPWebApplication

I've been working on a SharePoint solution that needed to write properties to the current web application. Everything worked just fine on my development machine. But on some of our test machines, I found the following message in the SharePoint logs:

The SPPersistedObject, SPWebApplication Name=Default Web Site Parent=SPWebService, could not be updated because the current user is not a Farm Administrator.
System.Security.SecurityException: Access denied.

This turns out to be correct behavior, but it took a while to understand what was going on and how to setup my development machine to reproduce the problem.

In my code to set the web application property value, I was using RunWithElevatedPrivileges to ensure I had rights. However, what I didn't realize is that elevating privileges gives you full access to the content database, but not to the configuration database. SPWebApplication's property bag is stored in the configuration database, not the content database. That was one piece to the puzzle.

The other piece to the puzzle was how I had my development machine setup. I was using the same account on both the Central Administration application pool and the application pool used to run regular the web applications. So in essence, I was implicitly granting my code rights to write to the configuration database.

When I modified the application pools to use two different accounts, I was able to reproduce this problem on my development machine.

Here is a summary:

RunWithElevatedPrivileges only provides full access to the content database for the current web application. In other words, you can modify read-only lists, write SPWeb properties, etc. But you can't make changes to the SPWebApplication because it is persisted to the configuration database.
Always make sure your application pools for normal web applications are using a different account than the Central Administration application pool. This is recommended practice for production machines, but you should also setup your development and test machines this way to catch problems early.

10 Comments:

At 6/16/09, 11:29 AM, Mahesh said...: I am also facing a similar issue.
I have a site collection level feature, when I try to activate this feature I get access denied message. But the same feature gets activated in a another web application. Both the web apps use the same Application pool account.
At 7/15/09, 12:52 PM, Mahesh said...: The reason for this was very strange. I had turned of site permission for creating sub sites and that was the reason I was not able to turn on few features, once I enabled sub site creation permission through CA, i was able to activate the features.
At 7/29/09, 5:09 AM, Ebralph said...: Here is a link to a blog which goes into a bit more detail: http://hristopavlov.wordpress.com/2009/01/
At 12/1/09, 9:33 PM, Anonymous said...: Would have been goot to say what you actually did to solve it though, all you've done is describe the problem.
At 2/17/10, 1:26 PM, Tomas said...: Thanks, this was helpful information.
At 8/10/11, 1:40 PM, Anonymous said...: Hi
i have issue when i am creating web application and issue is "access denied" and not storing in content database . please tell what is the problems
At 1/10/13, 12:37 AM, Anonymous said...: thank you very much for the informations.

It will be very good if you put some of your code here. How do you solved?

thank you in advance
Ali
At 9/27/13, 10:04 AM, Share documents said...: I think many more people nowadays are able to utilize content databases to help them be more efficient in whatever they do. The way that organizations do business is changing, adapting to meet the needs of their customers, who are ever more technologically savvy.

Content databases make it easy to retrieve clients' information and this makes it possible to serve clients in the way that they expect. Just as with the ability to send faxes online, share documents online in other ways or send a package across thousands of miles safely, it makes it easier to maintain customer relationships.
At 4/9/14, 6:37 AM, Anonymous said...: John, you dont provide any resolution, so your post is not useful.
At 3/17/22, 9:43 PM, Unknown said...: Aladdin 2-0 - Ali Babah No 2 - Aladdin 1st in the
Aladdin 2-0. The first, to where to find air jordan 18 retro men blue the third, in the beginning, is the story how can i find air jordan 18 retro yellow suede of King Ali Babah. This, in a world where 가입시 꽁 머니 환전 no air jordan 18 retro toro mens sneakers to you one is replica air jordan 18 retro yellow suede really involved

John Socha-Leialoha's Blog

About Me

Previous Posts

Tuesday, March 10, 2009

SharePoint Access Denied on SPWebApplication

10 Comments: