Access denied to the Sharepoint websites

Question

Hi there!

I need your help to try to solve a mysterious problem that I am having with my Sharepoint 2016. We have a Sharepoint Farm with 2 Front-Ends servers (IIS Servers). In my "Server A" all the user can log in to all websites at anytime with their accounts without any problem but, in the "server B", for some reasons, sometimes they are denied access and other times they can connect without any problem.

Since all the connections are works correctly without any problem on one node (Server A), I understand that problem is not related to any Central Administration settings because if the problem was there, both nodes would be affected.
I reviewed and compared both server and they are completely with the same configuration, permissions, policy rules, etc.

Below, I explain how I have configured my servers:

• All the websites are configured to use NTLM (no Kerberos).
• All the website are configured with pass-through authentication.
• All the websites have its own IIS AppPool and all the IIS AppPool is using the same domain\Account.
• This Domain\Account is member of the local Administrator Group, IISUSR, WSS-Admin_Group and WSS_Group
• The Domain\Account are joined to these security policies: Logon as a Batch Job, Log On as a Service and Impersonate a client after authentication.

Things that I have tried to do to fix the problem:

• Cleaned up all the Sharepoint cache configuration on this node
• Created a new IIS AppPool to the website
• Try to used other Domain\accounts in the IIS AppPool
• Copy the web.conf file from the good node to the bad node
• Copy the hosting.conf file from the good node to the bad node
• Reviewed and compared all the folder permissions in the inetpub folder
• Reviewed that both sever have all the same features and Sharepoint pre requisites installed.
• Both servers have the latest STS update installed
• Remove and added the server again to the farm
• A lot of IISReset after all the tests and restart server.

In the ULS and Event Viewer Logs, when A connection fails I am getting always this message:
"An exception occurred when trying to establish endpoint for the context: Could not load file or assembly 'Microsoft.identityModel.Extensions, Version=2.0.0.0, Culture=neutral, PublicKey Token=69c3241e6f0468ca' or one of its dependencies. Provider type not defined. (Exception from HRESULT: 0x80090017)"

But I already installed in both servers and I can find the .dll in the GAC folder and in the Program Files\reference Assemblies folder.

Also, in the ULS logs I am getting this message:

"Claims Windows Sign-In: Sending 401 for request 'https://<oneofmysites.domain.net>' because the user is not authenticated and resource requires authentication"

Any idea is welcome to solve this issue because, I don't know what else I should look for to find the problem.

Thanks in advance.

Answer 1

Hi @Thelmo Henrique Santos Mauleon,

Thank you for posting in this community.

First, according to the error information you provided: (Exception from HRESULT: 0x80090017. It can be known that your problem is due to a problem with authentication:

1. Please check if you have installed Windows Identity Foundation, if not, you can install it on your project. Installed in your project: Microsoft.Identity.Model.Extensions. Once completed, restart the IIS service and see if the problem persists.
2. Perhaps the GPO policies in your environment are very strict, you need to add the SharePoint farm account and the IIS_IUSRS account to the "Impersonate a client after authentication" policy located at the following path: Server Manager > Local Security Policy >Local Policies >User Rights Assignment > Impersonate a client after authentication. Add your SharePoint farm account.

If the problem still cannot be solved, I suggest you reinstall SharePoint 2016 on server B and join it to your server farm if it is convenient.

Install SharePoint Servers 2016 or 2019 across multiple servers

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Ling Zhou! Thanks for your answer.

I already have installed Microsoft.IdentityModel.Extensions in both servers:

And, regarding the policy "Imopersonate a cliente after authentication", Due to a Restrict Permission of my company, I don't have permissions to add any group but, in this policy I have added by default my local administrator group and, in this group I have the Farm account and AppPool account as member so, I understantd by inheritance, all the accounts in the administrator groups will be members of this policy, right?

As I explained before, in my Server A (the good one) we have exactly the same configuration. I just compared again and it's the same and, on this server I can access all the websites without any problem.

Any other idea of what could be wrong?

Thanks and BR

Answer 3

UPDATE - 06/04/2024

I've just discovered a workaround to "solve the issue", but it doesn't make any sense to me.

When I try to access one of my Server B websites, I receive a Access Denied error, indicating that my user account doesn't have permissions but, if I go to IIS server, select the website, do a website restart (not a IISReset), open a private session in my browser and log to the website using the farm account, the website loads correct. Then, if I try to open again the website but using my credentials again, the website loads correctly and I can log in to the page. I can close and open other browser sessions with my user account and the website will still continue to work correctly.

But, If I do a IISReset, all the problem occurs again and I cannot connect to the website using my user account, until I do again a website restart, open a private browser session and log with the farm account....

For some reason, when I do a IIS reset, apparently I am losing some configurations and, the only way to access again the websites with my user account with doing this weird workaround.

Answer 4

Hi @Thelmo Henrique Santos Mauleon,

I am sorry that my method didn't solve your problem. Given that your problem is more complicated, and we can't provide further information on how to solve your problem, therefore we recommend you to open a ticket and ask for it.

Please accept my sincerely apologize for any in convenience this may cause.

Thank you for your kind understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 5

Hi!

I finally could solve my issue. First of all, I discovered that I was having the problem on both nodes.
So, after a lot of tests I discovered that it was necessary to copy the assembly Microsoft.IdentityModel.Extensions.dll to the website bin folder

Example of path: C:\inetpub\wwwroot\wss<website>\bin

Once a copy of the .dll was inserted in this path, the problem was solved.

Important! I put in the bin folder a copy of the .dll file. In the GAC_MSIL folder still the .dll too.