Access denied problem

Jan 26, 2010 at 10:49 AM

I've set this up as per the pdf instructions (I believe) and the authentication aspects work great. The only problem I'm now having is when a user is signed in and they select the My Windows Live ID settings option from the dropdown menu associated with their name, they are taken to the access denied page which states who they are logged in as (but show the guid and not their name).

The page it appears to be trying to access is: /_layouts/liveauth-editprofile.aspx

Jan 31, 2010 at 5:50 PM

I'm having the same issue mpartner.  I'm hoping someone who's stumbled onto this can shed some light.  Here's my steps:


MOSS 2007, Win2003, all latest SP's.

Following pdf steps line by line, including:

  1. creating a new web application called "extranetinside"
  2. extended that web app to a new web app called "extranetoutside", and changed it's defaults to forms auth, enabled anon, and set membership/role fields to pdf instructions.
  3. went to extranetinside and enabled anon
  4. created admin sub site (spweb)
  5. installed and deployed solution, activated admin feature, and got my Live ID service numbers
  6. Updated Windows Live ID config in central admin.  Did NOT check "approve all new users" and did NOT check delegated auth
  7. checked site collection for extranetinside and Live ID auth feature was already enabled

After realizing the Live ID groups are not SharePoint side groups, but rather "hidden" security principles, I added "Authenticated Live User", "Live Users", and "Unapproved Live Users" to the default site collection members group (just to make sure a Live ID user could get in.)

When going to extranetoutside i get redirected to Live ID site at MSFT, I login, and get redirected to an access denied page.  It sounds just like mpartner's issue above (redirected from /_layouts/liveauth-editprofile.aspx).

I've tried "approving" the Live ID user in the admin sub site LiveProfiles list, I've tried adding the UUID of the Live ID user to members and owners groups of the site collection... but nothing gets me past this point of initial login "access denied".  I'm assuming it's me and not the code.

Wictor and others, maybe you could review my steps and see if we're missing something.  The PDF document is great for initial config but stops short of a sample "how to use" scenario for us new to custom auth configs in sharepoint.  I'd be glad to help add to or create a new step by step doc for the rest of us if I could just get past this access denied part.  

Even if it looks like we're doing everything right, please reply a short "that's how you do it" which I'll take as "start over with a clean config and try again".



Jan 31, 2010 at 10:26 PM

Mine's is slighlty different in that the authentication works fine. It's only when a user uses the dropdown menu on their name and selects the My Windows Live ID option, they then get an access denied page. It may be because I' not done anything with those hidden security principles.

Feb 1, 2010 at 10:56 PM

Yea I've played around with enabling anonymous throughout the site, and then removing rights at a document library level to see how a logged in Live ID user is affected by this.  If I anonymous-enable the whole web site, obviously the Live ID user can see everything reguardless of being logged in.  If they log in, they can edit their Live ID profile fine.  But, if I remove inheritance from a list or library (which prevents anonymous access) the logged in Live ID user can't get to that list/library.  I've tried adding all the liveroles, I've added their LiveID UUID, but I can't get them to access the data reguardless of permissions.

To me it's like everything is working fine, but Live ID auth provider permissions don't seem to do anything for the user. 

Anyone seen this before or have ideas?

mpartner, how are the Live ID users allowed to see your site if you haven't given them any permissions?  Did you enable anonymous at the site collection permissions level? (http://hostname/_layouts/setanon.aspx)

Feb 2, 2010 at 6:20 PM

Yeah, I've enabled anonymous access at the site collection. I followed Andrew Connell's example replacing the forms authentication component with the Windows LiveId bit. The only bit I can't get working is the bit I mentioned above, I'm guessing this maybe to do with the security principles mentioned in the PDF. What did you do with them exactly? 

Feb 3, 2010 at 3:26 PM

actually I added those security principles to the sharepoint member/owner groups and it did nothing.  I added specific liveID users (by UUID) and they didn't get access.  Only when I allowed anonymous could they get access.  So they *can* login, and edit their profile (once I enabled anon on the root site) but they get same permissions as as anonymous users regardless of what I do with their LiveID's and security principles.