Access denied when deploying a timer Job or activating a feature from SharePoint 2010 content web application

Article translations Article translations
Close Close
Article ID: 2564009 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You get Access Denied when you try to activate a feature in code from SharePoint 2010 web application. This error occurs whenever you try to make changes from the content applications (web front ends) to the config application (central admin application). For example web.config changes. The access denied error happens even when you wrap the code in RunWithElevatedPrivileges.

CAUSE

This is due to a new security feature implemented in SharePoint 2010. This feature explicitly blocks any modifications to the objects inheriting from SPPersistedObject in the Microsoft.SharePoint.Administration namespace and does not allow the content web applications to update the configuration database. This new security feature which controls the behavior is the SPWebService.RemoteAdministratorAccessDenied property in the SharePoint API. Though it can be turned off if needed but as with any security feature, you need to be really careful and perform thorough testing before you turn it off.

RESOLUTION

RemoteAdministratorAccessDenied is a persisted property which can be set to false to disable the feature. You can do this either in a Console app or use Powershell and then perform an IISReset.

//Console app code

SPWebService myService = SPWebService.ContentService; 
myService.RemoteAdministratorAccessDenied = false; 
myService.Update(); 


//PowerShell code

function Set-RemoteAdministratorAccessDenied-False()
{
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration") > $null

    # get content web service
    $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
    # turn off remote administration security
    $contentService.RemoteAdministratorAccessDenied = $false
   $contentService.Update()         
}

Set-RemoteAdministratorAccessDenied-False
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2564009 - Last Review: June 24, 2011 - Revision: 5.0
APPLIES TO
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2564009

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com