SharePoint adventures

A blog about random SharePoint stuff

Setting the super user account on SharePoint 2010 and getting Access Denied errors afterwards

Setting the super user account on SharePoint 2010 and getting Access Denied errors afterwards

Rate This
  • Comments 20

By default after installing SharePoint 2010 you will probably soon encounter the following two error messages in the Application log:

Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unneccesary system resources.
To configure the account use the following command ‘stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue account -url webappurl’. The account should be any account that has Full Control access to the SharePoint databases but is not an application pool account.
Additional Data:
Current default super user account: SHAREPOINT\system

Object Cache: The super reader account utilized by the cache does not have sufficient permissions to SharePoint databases.
To configure the account use the following command 'stsadm -o setproperty -propertyname portalsuperreaderaccount -propertyvalue account -url webappurl'. It should be configured to be an account that has Read access to the SharePoint databases.
Additional Data:
Current default super reader account: NT AUTHORITY\LOCAL SERVICE

Source of the error is as the Technet documentation says:

By default, the Portal Super User account is the site’s System Account, and the Portal Super Reader account is NT Authority\Local Service. There are two main issues with using the out-of-box accounts.

  1. The first issue is that some items get checked out to System Account, so when a query that includes these items is made, the checked out version of the item is returned instead of the latest published version. This is a problem because it is not what a user would expect to have returned, so the cache has to make a second query to fetch the correct version of the file. This negatively affects server performance for every request that includes these items. The same problem would occur for any user who has items checked out, if that user’s account was set to be the Portal Super User account. This is why the accounts configured to be the Portal Super User and the Portal Super Reader should not be user accounts that are used to log into the site. This ensures that the user does not inadvertently check items out and cause problems with performance.
  2. The default Portal Super Reader account is NT Authority\Local Service, which is not correctly resolved in a claims authentication application. As a result, if the Portal Super Reader account is not explicitly configured for a claims authentication application, browsing to site collections under this application will result in an “Access Denied” error, even for the site administrator. This error will occur on any site that uses any feature that explicitly uses the object cache, such as the SharePoint Server Publishing Infrastructure, metadata navigation, the Content Query Web Part, or navigation.

So keeping these values on their default value on an intranet/extranet portal is not such a good idea. Let’s go ahead and set these two, according to the suggestions in the error message!

stsadm -o setproperty -pn portalsuperuseraccount -pv DOMAIN\user -url http://webappurl
stsadm -o setproperty -pn portalsuperreaderaccount -pv DOMAIN\user -url http://webappurl
iisreset

After doing so, you’re either done, or – in case you are in claims mode – will see Access Denied on all pages on the webapplication you set the accounts.

 

Moral of the story: if you are in claims mode, you will need to use the claims user name (i:0#.w|domain\user).

 

Relevant sections of the Technet article:

 

14. Make note of how the names for the Object Cache Super Reader and Object Cache Super User accounts are displayed in the User Name column. The displayed strings will be different depending on whether you are using claims authentication for the Web application.

 

  1. Copy the following code and paste it into a text editor, such as Notepad:

    $wa = Get-SPWebApplication -Identity "<WebApplication>" 
    $wa.Properties["portalsuperuseraccount"] = "<SuperUser>" 
    $wa.Properties["portalsuperreaderaccount"] = "<SuperReader>" 
    $wa.Update()
  2. Replace the following placeholders with values:

    • <WebApplication> is the name of the Web application to which the accounts will be added.
    • <SuperUser> is the account to use for the Portal Super User account as you saw it displayed in the User Column field mentioned in Step 14 of the previous procedure.
    • <SuperReader> is account to use for the Portal Super Reader account as you saw it displayed in the User Column field mentioned in Step 14 of the previous procedure.
  • Thanks a Lot.  I was having this problem during many weeks.  I was supecting this to be a sharepoint bug.  

    It worked fine!!.

  • Thank you so much! you saved my job!

  • Thanks for the writeup. However, I would like to clarify something for future readers that I got confused about. The recommended change is a two step process. After creating new accounts for super reader and super user in Active Directory, two things will have to be done (and not just the running the powershell command ).

    1) Add these users in user policy section under web application management in Central Admin. (This is what I got confused about as I think the article doesn't state that clearly and step 14. is a little confusing)

    2) After adding the accounts thru the Central Admin UI in step 1, run the powershell script as described by the author

    nonetheless, thanks a lot for this information.

  • Thanks Punit for the clarification. My post was primarily about the results of not entering the correct string for the superuser/reader accounts, that's why I omitted the web application user policy part.

  • I am NOT in claims mode, yet, whenever i set the superusers/reader, i am getting access denied on all sites.

    pls help thanks

  • You should add priviliges to this accounts throught central administration p[age for all web application

  • hi i am in similar boat, my web app is claims based, and turned on publishing infrastructure in all sub sites.

    some people are getting access denied on some sub sites, other are fine. how do i fix this issues, i did not configure nay super user account at all. can u direct me in the correct path.

  • Object Cache: The super reader account utilized by the cache does not have sufficient permissions to SharePoint databases.

    To configure the account use the following command 'stsadm -o setproperty -propertyname portalsuperreaderaccount -propertyvalue account -url webappurl'. It should be configured to be an account that has Read access to the SharePoint databases.

    Additional Data:

    event 7363 web content management

    Current default super reader account: NT AUTHORITY\LOCAL SERVICE

    is this the reason some useers ar4e getting access denied on some sub sites.

    through ur pointer.and comment

  • None of the articles I have seen say anything about what kind of user account ie what privileges, groups to be in.

    I assume all it needs to be is a standard domain account. Yes?

    Q. Does it ned to be able to log onto the system as a service

  • I have four web applications. How do I find our which application is missing the permissions?

  • Carsten, I would verify the settings on all four webapps and make sure

    1) the webapp has its portalsuperuseraccount and portalsuperreader accout set to a string that's valid for the webapp

    2) the specified accounts have full control and read rights respectively on the webapp policy

  • Thanks a lot. I have faced Sharepoint 2010 authetication issues. it worked.

  • Thanks for this article.

    to the point "The first issue is that some items get checked out to System Account", how can we know which all items get checked out by the system account?

  • Thanks! This saved a lot of work, had exactly the same issue.

  • How do you verify it worked after doing both steps?

Page 1 of 2 (20 items) 12
Leave a Comment
  • Please add 5 and 2 and type the answer here:
  • Post