Forum Discussion
SharePoint Server 2019 - Authentication issue with popup login window
Solution to Issue 1:
Michael Han helped to find a resolution for issue 1: (https://urldefense.proofpoint.com/v2/url?u=https-3A__social.technet.microsoft.com_Forums_sqlserver_en-2DUS_820b57d9-2Da2be-2D4f22-2D9c06-2D8ea67bdf6651_sharepoint-2Dserver-2D2019-2Danonymous-2Dusers-2Daccess-3Fforum-3DSP2019&d=DwMF-g&c=hmKldkTQNOmajg2omeC5PQ&r=OKarLaIVtuWSZ_iJ8l0vPw&m=UnvFT-nBi6BK0nS9GZXicw-Kqbt1YoTVOYU2Oka_lcA&s=5tQ_4ckPLpzLVs65XncTlK19VDa1u6KlY0IJ8wYATfM&e=)
It seems like the Theme Gallery has separate permissions from the site collection permissions. If the subsite user doesn't have read permission to the Themes folder then I see the authentication issue. This means that we will have to grant permission to a user for the subsite and the themes folder at the site collection level. This isn’t ideal to have to give permissions in two places for this case and should be looked at being improved on the SharePoint side.
To avoid granting permission in two places for each user, we decided to grant read permission to all AD Domain Users so everyone in the organization will have read permission to the themes folder.
Issue 2 Unresolved:
However, the above resolution does not help our anonymous user access issue (issue 2) and this remains a top priority issue for us.
Thank you,
Nutullah
Hello, Nutullah.
I had this problem (the 2nd scenario) in my farm as well,
I suggest you to enable the flags
useAppPoolCredentials & useKernelMode
at the system.webServer/security/authentication/windowsAuthentication in the web.config for this web application.
these allows my users to connect with user and password when they needed and also give access to anonymous.
Hope it will help you.
Hello, I was brought here because I was looking for the reason why the SharePoint Modern List View experience was receiving a 401 access denied and then repeatedly prompting the user to login as it was trying to access /_api/Site?$select=StatusBarLink,StatusBarText. This issue will occur when a user has been granted permission at a sub-site level but does not have permission at the site collection level (or only has Limited Access at the site collection level). The limited access is typically there as part of the Style Resource Readers group.
You will see in the developer window a pending authorisation for
https://www.website.ca/sitecollection/subsite/_api/Site?$select=StatusBarLink,StatusBarText
Followed by access denied messages in your ULS logs similar to:
PermissionMask check failed for {Guid}. Asking for 0x2000010000, have 0x1008010000
Specifically it will also fail with UnauthorizedAccessException on GetWebMetainfo
The way you can fix this is by ADDING the UseRemoteAPIs base permission to the Limited Access role definition at the site collection root web level. Please note, this should not be done for Anonymous access or public (internet) sites as it may expose API to attackers for Denial of Service. Internally it should be OK to do as it simply allows end users to make calls to the API (the contents of the results of the API are still security trimmed).
Powershell you can use to resolve this is:
$siteUrl = "https://www.website.ca/sitecollection/" $site = get-spsite $siteUrl $web = $site.RootWeb $limitedAccess = $web.RoleDefinitions["Limited Access"] $limitedAccess.BasePermissions = "$($limitedAccess.BasePermissions), UseRemoteAPIs" $limitedAccess.Update()You're welcome!
Kevin Cole - SharePoint Microsoft Certified Master
KevinColeMCM , thanks for solution. This helped.
