Little Central Administration Security Bug with SharePoint 2010


 

I ran into a little frustrating issue earlier with my Stand Alone installation on Windows 7 – my account had access to the Central Administration but some options weren’t there (like manage services on server) and others were giving me Access Denied.  The ‘New Web Application’ was grayed out with a text saying I didn’t have access when I did a mouse over.

I was correctly set up as a farm administration and site collection administrator for the Central Admin.  I tried rebooting and using other local accounts instead of the domain account – no luck.

So I started up the wizard with the intention of scrapping my newly built farm and simply re-create it but the wizard simply just ran over without asking me to remove it!  The nice thing is that the automatic repair actually repaired my issue as well 🙂

Quick fix!

October 29th Update: Actually, it looks like I was wrong.  The issue came back the next day and the Wizard didn’t fix it – nor did I want to run the Wizard everyday ;).  As it turns out, you need to ‘Run as Administrator’ Internet Explorer … what baffles me is that it sometimes work, sometimes not (and I had never ran IE as administrator… nor did I remove UAC on my Windows 7 build).

 

Maxime

Comments (14)
  1. allenwilson@mindspring.com says:

    Aside from running IE as an ‘Administrator’, was there anything else that you had to do?

    I’ve tried the same but remain unable to create a new web appliation (button is grayed out).

  2. Hi, I didn’t see anything else.  The other variable is that I am not running IE enhanced security mode for Administrator — you can change that parameter as well.

  3. RaviSharma says:

    Hi MaximeB – The same issue was there in MOSS as well. I am not sure whether I should call this an issue or something else becasue:

    As per MSFT recommendations the Service Account should not be local Admin on the machine. but if you don’t grant service account the local admin rights then "create or extend web application" link used to disappear in Central Admin and the moment you add service account to local admins’ group the link used to reappear. So its double whammy, if you grant local admin rights to service account then you are compromising on security and not adhering to best practices else the link is missing. Considering the issue you specified above, I assume its the same in SP2010 as well.

    You can add the service account (I am not recommending, just to test) to local admin group so as to make sure that its the same issue or something else.

    Thanks…

  4. Good point, I don’t recall checking this with MOSS 2007.

    In a Windows 7 situation, the UAC behaviors aren’t the same and thus, even if you are an administrator, IE won’t run in IE mode by default.

  5. robert.j.greig@gmail.com says:

    Did you ever get to the bottom of this? I am experiencing exactly the same problem with SP 2010 RTM.

    My user account and the sharepoint service account are both local admins but I still have permission issues in central admin.

  6. Hi,

    No, I didn’t look further as running as an administrator was the solution in my case (or changing the UAC parameters).

    Are you running on Win7 or server?

  7. robert.j.greig@gmail.com says:

    I am running on W2K8.

    I have tried running central admin as an administrator, but it did not make any difference. Also, when I launch central admin, it prompts for a login and I enter the credentials of a local admin user (which is also the user I am logged in as). That user is also listed as a farm administrator.

    Are there any debug settings I can use to get a dump of the roles/credentials that central admin thinks I have? Any log files that might give an insight?

    Thanks!

  8. Just to be sure, your permission troubles, is it that you keep getting authentication prompt?

    The situation described in this post wasn’t about an auth prompt but simply about UAC.  

    If you keep having auth prompts when logging locally, it would be the DisableLoopbackCheck registry setting to verify.

  9. robert.j.greig@gmail.com says:

    No, the problem is not repeated authentication prompts. It prompts only once and does correctly display my username. In any case, I had also come across the post about the NULL SID problem and disabled the loopback check anyway (it made no difference).

    I turned my W2k8 instance into a domain controller, and then things worked as expected. Does Sharepoint 2010 only work on machines that are members of a domain?

    I enabled full debug and trace logging, and also ran a SQL trace on the database, but was not really able to get any further clues about what was going wrong.

  10. Hi,

    my instance of the NULL SID issue was when I copied an Hyper-V machine (i.e.: a base Win2k8 R2) but forgot to do the SYSPREP /generalize — that gives odd issues with authentication.  The only thing for that one is to use SYSPREP, check the Generalize checkbox and reboot.

    For a non-domain machine, I’ve tried it with a single server install, but you can look at this post for having a separate SQL : http://blogs.objectsharp.com/CS/blogs/max/archive/2009/12/02/using-local-accounts-in-sharepoint-2010-complete-install.aspx.

    Have you looked at your IE settings, at the end of the list, on how to use WinAuth?  you can try the option of ‘using current username/password’.

  11. robert.j.greig@gmail.com says:

    Hi – I tried both a single server install and a separate SQL, with the same result in both cases.

    I haven’t looked at the IE settings because I don’t think this is related to authentication – it authenticates me successfully and it displays the correct name in the top right of the page. The issue I think is authorisation.

    I’m going to try to raise this via a support channel – to help anyone googling for this I’ll post a comment if I get to the bottom of it.

  12. QH says:

    I had the same issue on my newly built (syspreped) non-domain SP2010 (complete install versus stand alone) environment running on Windows 7 with SQL 2008 R2. When launching Central Admin, I would get prompted for authentication. I login using the system account and is presented with CA. However, I am not able to create a new web application and don't see some links like "manage services on server".

    Tried running IE using "Run As Administrator" and it didn't work. Ended up disabling UAC, rebooting and now its working properly.

  13. DeChrist says:

    I confirm the "feature" in RTM on Windows 7.

    Your workaround worked for me: Run IE as Administrator.

  14. Adinahc says:

    Awesome, Running IE as administrator works

Comments are closed.

Skip to main content