403 Forbidden and Forms Authentication with MOSS

We have a public MOSS site setup to use Forms Authentication for protected content. When the user hits files in certain document libraries, the user is automatically redirected to the login page and then returned to the document after a successful login. However, for some users, when they click a link to view a protected file they are not redirected to the login page and a “403 Forbidden” error message is displayed in Internet Explorer. This behavior does not occur in non-IE browsers (Firefox, Safari).

After some research I found this article. It looks like the culprit is a Microsoft add-in for Office Live.

Fix: Uninstall the application called “Microsoft Office Live Add-in 1.3”. That solved the problem right away. No system reboot or browser restart necessary…

MOSS Search Indexer “Access is Denied”

Have a MOSS farm the a web front-end and a separate search indexer. After installing some patches the indexer started failing with an Access is Denied message. MOSS configures a dedicated index machine by adding an entry to the HOSTS file that points the MOSS sites to the indexer’s IP address. If you try to connect to your MOSS site on the Indexer’s desktop you will unable to connect.

The patches are KB960803 and KB963027. You can read the notes here.

Following the instructions for Method 1 in the article fixed the problem and indexer was able to access and index the content again. The fix is a small registry entry that allows local connections to other host names.

Access Denied When Creating a New Page

We had some users that had “Designer” or “Full Control” rights on a MOSS publishing site but when they selected “Create a New Page” from the Site Actions menu they received an “Access Denied” message.

Found out that any users creating a new page need “Restricted Read” access to the Style Library and Master Page Gallery.

You can add the users to the Style Library by going through View All Site Content.
You can access the Master Page Gallery by selecting Manage Content and Structure, Edit Properties on the Master Page Gallery, Permissions.

Login Required on Anonymous Site

If you have a public web site you might have the ViewFormPagesLockDown feature turned on. This restricts access for anonymous users so they can’t access the pages in your libraries “Forms” folders. There’s a good description of the feature here http://technet.microsoft.com/en-us/library/cc263468.aspx.

If you’re accessing a libraries “Forms” pages, for example by using InfoPath Forms Services, you might need anonymous users to have access to the library.

With the following configuration the user could be prompted for credentials on an anonymous site when trying to access an InfoPath Forms Services form.

  • Browser-based InfoPath Form published to a Forms Library
  • Site has anonymous access set to “Entire Web Site”
  • ViewFormPagesLockDown feature is activated

 

You can fix this by deactivating the ViewFormPagesLockDown feature
stsadm -o deactivatefeature -url “<site URL>” -filename ViewFormPagesLockDown\feature.xml

 

Now toggle the anonymous access setting on the site from “Entire Web Site” to “None” and back to “Entire Web Site”.

 

Then activate the ViewFormPagesLockDown feature again

stsadm -o activatefeature -url “<site URL>” -filename ViewFormPagesLockDown\feature.xml

 

SSL Redirect on Cancel

So here’s the scenario… You’ve got a MOSS 2007 site using basic authentication with SSL and anonymous access enabled. The user hits the site and is prompted for login credentials. The user doesn’t have a login and hits cancel. SharePoint 2007 displays an ugly error message saying that access is denied. So you decide to create a custom error page with a redirect in IIS but it doesn’t work…

After many hours on the phone with Microsoft Support, the only conclusion was that this was an issue with the .Net Framework (not MOSS or IIS.)

The fix is to turn off anonymous access on the site. This will allow IIS to see the error and use the custom redirect. Not the easiest workaround if you have anonymous turned on for a reason but a workaround nonetheless…

Authentication Links

Authentication samples
http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx?mfr=true

Configuring Multiple Authentication Providers for SharePoint 2007
http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx

Using the Active Directory Membership Provider with Forms Authentication in MOSS 2007
http://blogs.msdn.com/echarran/archive/2006/09/11/749707.aspx

Enable Anonymous Access
http://markharrison.co.uk/blog/2006/06/moss-2007-enable-anonymous_12.htm

Enabling Forms Based Authentication With SharePoint 2007
http://channel9.msdn.com/ShowPost.aspx?PostID=299338

Customizing the CreateUserWizard Control
http://aspnet.4guysfromrolla.com/articles/070506-1.aspx

Reporting Services Anonymous Access
http://www.ssw.com.au/ssw/Standards/Rules/RulesToBetterSQLReportingServices.aspx#AdminAccess