Setting the super user account on SharePoint 2010 and getting Access Denied errors afterwards
Ever had one of these:
(Many thanks to Andras Gaal for compiling this)
Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unneccesary system resources.
To configure the account use the following command ‘stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue account -url webappurl’. The account should be any account that has Full Control access to the SharePoint databases but is not an application pool account.
Current default super user account: SHAREPOINT\system
Object Cache: The super reader account utilized by the cache does not have sufficient permissions to SharePoint databases.
To configure the account use the following command ‘stsadm -o setproperty -propertyname portalsuperreaderaccount -propertyvalue account -url webappurl’. It should be configured to be an account that has Read access to the SharePoint databases.
Current default super reader account: NT AUTHORITY\LOCAL SERVICE
By default, the Portal Super User account is the site’s System Account, and the Portal Super Reader account is NT Authority\Local Service. There are two main issues with using the out-of-box accounts.
1. The first issue is that some items get checked out to System Account, so when a query that includes these items is made, the checked out version of the item is returned instead of the latest published version. This is a problem because it is not what a user would expect to have returned, so the cache has to make a second query to fetch the correct version of the file. This negatively affects server performance for every request that includes these items. The same problem would occur for any user who has items checked out, if that user’s account was set to be the Portal Super User account. This is why the accounts configured to be the Portal Super User and the Portal Super Reader should not be user accounts that are used to log into the site. This ensures that the user does not inadvertently check items out and cause problems with performance.
2. The default Portal Super Reader account is NT Authority\Local Service, which is not correctly resolved in a claims authentication application. As a result, if the Portal Super Reader account is not explicitly configured for a claims authentication application, browsing to site collections under this application will result in an “Access Denied” error, even for the site administrator. This error will occur on any site that uses any feature that explicitly uses the object cache, such as the SharePoint Server Publishing Infrastructure, metadata navigation, the Content Query Web Part, or navigation.
So keeping these values on their default value on an intranet/extranet portal is not such a good idea. Let’s go ahead and set these two, according to the suggestions in the error message!
stsadm -o setproperty -pn portalsuperuseraccount -pv DOMAIN\user -url http://webappurl stsadm -o setproperty -pn portalsuperreaderaccount -pv DOMAIN\user -url http://webappurl iisreset
After doing so, you’re either done, or – in case you are in claims mode – will see Access Denied on all pages on the webapplication you set the accounts.
Moral of the story: if you are in claims mode, you will need to use the claims user name (i:0#.w|domain\user).
Relevant sections of the Technet article:
14. Make note of how the names for the Object Cache Super Reader and Object Cache Super User accounts are displayed in the User Name column. The displayed strings will be different depending on whether you are using claims authentication for the Web application.
1.Copy the following code and paste it into a text editor, such as Notepad:
$wa = Get-SPWebApplication -Identity "<WebApplication>" $wa.Properties["portalsuperuseraccount"] = "<SuperUser>" $wa.Properties["portalsuperreaderaccount"] = "<SuperReader>" $wa.Update()
2.Replace the following placeholders with values:
* <WebApplication> is the name of the Web application to which the accounts will be added.
* <SuperUser> is the account to use for the Portal Super User account as you saw it displayed in the User Column field mentioned in Step 14 of the previous procedure.
* <SuperReader> is account to use for the Portal Super Reader account as you saw it displayed in the User Column field mentioned in Step 14 of the previous procedure.