SharePoint – Access Denied Federation Module

Getting accessdenied.aspx for all users can be very frustrating. Usually it’s an issue with the Super User/Super Reader configuration issue (see https://joshroark.com/sharepoint-the-complete-guide-to-portalsuperuseraccount-and-portalsuperreaderaccount/).

To the Logs

The ULS logs are the key to finding out why we’re getting redirected. We want to get the Correlation ID of the page that is going to be redirecting the client to accessdenied.aspx. A fiddler trace is a helpful tool to find the correct correlation ID.

The ULS logs for the request will show that we’re failing on the Federation Module.

02/15/2019 12:39:42.99    w3wp.exe (0x1BAC)    0x4170    SharePoint Foundation    Security    8gs1    Verbose    Access Denied for /. StackTrace:   
 at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)    
 at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs eventArgs)    
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)    
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)    
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)    
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)

This is usually due to the Everyone group removed from “Bypass traverse checking”. Local Security Policy à Local Policies à User Rights Assignments à Bypass traverse checking

Add in the Everyone and Users group if they are missing, IISReset, and we’re able to access the site again.

Leave a Reply

Your email address will not be published. Required fields are marked *