Wednesday, March 26, 2008

Access Denied with Citrix WISP

I was attempting to install and activate the Citrix Web Interface for SharePoint on MOSS 2007 but was getting nowhere. The solutions appeared to add, deploy, and activate without error, but when I hit any of the Citrix administration links on the site collection root’s Site Settings page in the portal, all I received was 'Unknown Error.'

I had to first apply a registry hack to get the Citrix code to log anything that was going wrong. From its admin guide:

You can also find useful troubleshooting information in the log files stored in sharepoint\LOGS\LogFolder, where LogFolder is a location you can specify by setting a string value for LogFolder in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\WISP.

Without creating this key, nothing is logged. After creating it, I could see a curious sequence of events when trying to activate the Citrix Access Core feature:

...
Adding List Item Event Receiver: Added
Adding List Item Event Receiver: Deleting
Adding List Item Event Receiver: Deleted
Elevating privilege, now running as DOMAIN\moss-pool-dev
Adding new configuration update job (ConfigUpdateJob-default-WIConfiguration(DMOSS01))
AddConfigurationUpdateJob() Error: Access denied.
at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
at Microsoft.SharePoint.Administration.SPJobDefinition.Update()
at Citrix.WISP.Configuration.Jobs.UpdateJob..ctor(String jobName, SPSite site, SPServer server, String configurationName, String configurationType, String filename, List`1 featureIds, SPJobLockType targetType)
at Citrix.WISP.Configuration.Jobs.Installer.<>c__DisplayClass2.b__0()
End of Elevating privilege, now running as DOMAIN\apenn
Adding new job CitrixAccessCoreDeployment(DMOSS01)(Citrix Access Core Service Provider Deployment) to DMOSS01(Application)
AddDeploymentJob() Error: Access denied.
at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
at Microsoft.SharePoint.Administration.SPJobDefinition.Update()
at Citrix.WISP.AccessCore.Jobs.DeploymentJob..ctor(String jobName, SPSite site, SPServer server, SPJobLockType targetType, String title)
at Citrix.WISP.AccessCore.Jobs.Installer.<>c__DisplayClass2.b__0()
Updating Property Citrix.WISP.Site.Active in site https://devextranet.DOMAIN.local with value True
CitrixContentRedirectionModule: Add the web.config mod
- SPWebApp Name: Customer Extranet
- add/remove here: configuration/system.web/compilation/expressionBuilders
- the following:
CitrixAccessCore::Activate Error: Access to the path 'C:\Inetpub\wwwroot\wss\VirtualDirectories\devextranet.DOMAIN.local80\web.config' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.Xml.XmlDocument.Save(String filename)
at Microsoft.SharePoint.Administration.SPWebApplication.ApplyWebConfigModifications()
at Microsoft.SharePoint.Administration.SPWebService.ApplyWebConfigModifications()
at Citrix.WISP.AccessCore.FeatureReceiver.<>c__DisplayClass2.b__0()
at Microsoft.SharePoint.SPSecurity.CodeToRunElevatedWrapper(Object state)
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.b__2()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Citrix.WISP.AccessCore.FeatureReceiver.changeExpressionBuilderInWebConfig(SPWebApplication app, Boolean remove)
at Citrix.WISP.AccessCore.FeatureReceiver.FeatureActivated(SPFeatureReceiverProperties properties)
CitrixAccessCore: Ended at Monday, March 24, 2008 9:51:03 AM

It was apparent it was trying to take some actions under the application pool identity for the web application which failed with 'access denied,' and then was trying to use MY account (a domain administrator, MOSS farm administrator, and local MOSS server administrator) for other actions and STILL getting 'access denied!'

The administrator's guide for WISP does state:

To complete the installation you must have server farm administrator permissions, meaning you must be a member of the
administrators group on each of your Web and Application servers, and SQL security administrator with database creator rights on each of your SQL servers.

Those rights my account had; however, to correct the 'access denied' problem, I had to make my APPLICATION POOL IDENTITY:
  • A member of the Farm Administrators group in MOSS; and
  • A local machine administrator on the MOSS server.

C'mon Citrix, the application pool identity is supposed to be a low-privileged account.