SharePoint: Quick Troubleshooting tip: Add user with Classic auth permission

As lame as this sounds, there have been a few (rare) situations where trying to do something with a Windows-Claims web application within Central Administration fails with an Access Denied (sorry, this site has not been shared with you) error due to lack of permissions for your Windows Classic authentication account.

If you find a situation where you’re trying to complete some administrative action and getting an Access Denied error for an account that should have plenty of permission, and you’ve already exhausted every other possibility, including verifying that it’s not a Super User / Super Reader problem, you can try to give the Classic auth version of your account Full Control permission on the web application. If the web application in question is claims-based auth, the only way to do that is with PowerShell:

$user = "Contoso\admin1"
$displayName = "Admin1 - Classic Auth"
$wa = Get-SPWebApplication "https://mysitehost.contoso.com"
$policy = $wa.Policies.Add($user, $displayName)
$policyRole = $wa.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
$policy.PolicyRoleBindings.Add($policyRole)
$wa.Update()

Example web app user policy after adding the classic version of my account:

Notice the claims version of my account also has full control. I added both so you can see the difference in the account name.

Add a Comment