SYMPTOMS
You get Access Denied when you try to activate a feature in code from SharePoint 2010 web application. This error occurs whenever you try to make changes from the content applications (web front ends) to the config application (central admin application). For example web.config changes. The access denied error happens even when you wrap the code in RunWithElevatedPrivileges.
Back to the top
CAUSE
This is due to a new security feature implemented in SharePoint 2010. This feature explicitly blocks any modifications to the objects inheriting from SPPersistedObject in the Microsoft.SharePoint.Administration namespace and does not allow the content web applications to update the configuration database. This new security feature which controls the behavior is the SPWebService.RemoteAdministratorAccessDenied property in the SharePoint API. Though it can be turned off if needed but as with any security feature, you need to be really careful and perform thorough testing before you turn it off.
RESOLUTION
RemoteAdministratorAccessDenied is a persisted property which can be set to false to disable the feature. You can do this either in a Console app or use Powershell and then perform an IISReset.
//Console app code
SPWebService myService = SPWebService.ContentService;
myService.RemoteAdministratorAccessDenied = false;
myService.Update();
//PowerShell code
function Set-RemoteAdministratorAccessDenied-False()
{
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration") > $null
# get content web service
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
# turn off remote administration security
$contentService.RemoteAdministratorAccessDenied = $false
$contentService.Update()
}
Set-RemoteAdministratorAccessDenied-False
//Console app code
SPWebService myService = SPWebService.ContentService;
myService.RemoteAdministratorAccessDenied = false;
myService.Update();
//PowerShell code
function Set-RemoteAdministratorAccessDenied-False()
{
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration") > $null
# get content web service
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
# turn off remote administration security
$contentService.RemoteAdministratorAccessDenied = $false
$contentService.Update()
}
Set-RemoteAdministratorAccessDenied-False
No comments:
Post a Comment