Getting accessdenied.aspx for all users can be very frustrating. Usually it’s an issue with the Super User/Super Reader configuration issue (see https://joshroark.com/sharepoint-the-complete-guide-to-portalsuperuseraccount-and-portalsuperreaderaccount/).
To the Logs
The ULS logs are the key to finding out why we’re getting redirected. We want to get the Correlation ID of the page that is going to be redirecting the client to accessdenied.aspx. A fiddler trace is a helpful tool to find the correct correlation ID.
The ULS logs for the request will show that we’re failing on the Federation Module.
02/15/2019 12:39:42.99 w3wp.exe (0x1BAC) 0x4170 SharePoint Foundation Security 8gs1 Verbose Access Denied for /. StackTrace:
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)
at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
This is usually due to the Everyone group removed from “Bypass traverse checking”. Local Security Policy à Local Policies à User Rights Assignments à Bypass traverse checking
Add in the Everyone and Users group if they are missing, IISReset, and we’re able to access the site again.