In a previous post (elevated privileges) I explained how to access a SharePoint list when the actual user security is not enough.
You already did that and still get the same "Access Denied" message...?
When elevating rights we're using the SharePoint Web Site Application Pool user as the most privileged user the Web Application can use.
Look in your IIS logs and you should see a 401 somewhere. Yes?
That means that the user registered for the SharePoint web Site Application Pool doesn't have enough rights to access the list. In Simple deployments the common one is the Network Service account.
Now.., we need to change that and use a custom domain user as service account. Also it needs to be set as Service account in the server, or you'll get a "Service Unavailable" message in your browser when changing users.
To create a service account do as follows:
1- Create an account for the service in the domain i.e. DOMAIN\Svc_SharePoint
2- In the server excecute secpol.msc and head to Local Policies > User Rights Assignment > Log On as Service.
3- Add the DOMAIN\Svc_SharePoint service account
4- Add the DOMAIN\Svc_SharePoint service account to the IIS_WPG local group
5- Change the App Pool identity account to DOMAIN\Svc_SharePoint.
6- Recycle the App Pool (no need to reboot the server)
Be sure that the DOMAIN\Svc_SharePoint account has enough rights to access the List in the SharePoint collection and no more rights than that.
That should do the trick
No comments:
Post a Comment