last week in one of Developer VM, i was not able to access any site collection. System account was getting access denied error although i checked all permission for system account. i conformed my self that i gave full controls on web application from Policy. Remember i changed authentication type from classis authentication to claim based authentication. so i start looking the issue and encountered new things in SharePoint –> Object Cache user accounts.
This is quite interesting to know how actually user request flow in SharePoint 2010. Goal of these object cache are reduce load on SQL server hosted machine.In SharePoint 2010 request for items based on User account. Publishing features makes queries for which the results are cashed in object cache. Now user query fetch data using publishing control like it is from the cache not from the user.This query is not a single query. It contain two query, one as a Super user account(Include draft item) and second as a super reader account(Published item).result from the both query stored in object cache.Now object cache check what type of permission user have(access control list)and return the appropriate results.this increase the number of results that are returned for the query and decrease amount of memory that need to store the the cache.
More information visit TechNet.
So as par my experience i fount that although super user and super reader have all the required permission in web application still system account getting access denied error.
Steps to check Super user and Super reader.
Required:-You must have farm administrator rights
1. Open Central Administrator.click on web application application.
2. select web application and from ribbon select policy tab.
3. Click add user form Zone select all zone and click next.
4. Here you can see super user and super admin . because this is claim based authentication so account look like below .
5. if users are not added than you need to add user with full control for super user and full read for super reader.(As par above image)
To add user enter name in user box and select permission by selecting right check box and click ok button.
6. After work with above accounts we need to run power sell script. You must have shell admin permission.
Get-SPShellAdmin.(Check sp shell admin account)
Add-SPshellAdmin(Add sp shell admin)
$wa = Get-SPWebApplication -Identity "<WebApplication>"
$wa.Properties["portalsuperuseraccount"] = "<SuperUser>"
$wa.Properties["portalsuperreaderaccount"] = "<SuperReader>"
$wa.Update()
Replace web application by your web application name. and SuperUser and SuperReader by your account name.
After successful run
7. Reset iis
Type iisreset in run and hit enter.
Check your site collection on particular web application access denied issue is resolved :).
