Re: Error code = 4060
From: SS (stephen_at_acsalaska.com)
Date: 06/29/04
- Next message: Travis75: "Auditing Create/Update Tasks"
- Previous message: Panku: "RE: Multiple connections in web parts"
- In reply to: Wei-Dong XU [MSFT]: "Re: Error code = 4060"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Error code = 4060"
- Reply: Yan-Hong Huang[MSFT]: "Re: Error code = 4060"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 29 Jun 2004 10:30:57 -0800
Thanks,
Actually, one of the biggest helps for configuring the app pool permissions
was this article:
http://www.microsoft.com/technet/prodtechnol/office/sps2003/maintain/apppool.mspx
which details the local groups the app pool identity must be a member of:
IIS_WPG, SPS_WPG, STS_WPG
But please note that the first article you mention speaks to rights on the
configuration database, not the content database. My installation does not
seem to perform as expected unless this new app pool identity for a
divisional portal has dbo rights to the parent portal's _content_ database,
not just the configuration database. In Chapter 5 of the Sharepoint Resource
Kit (page 123) it states, "Although child portal sites must have access to
the parent configuration and content databases, for added security, that
access can be limited to read-only". This contradicts my experience, and so
I wonder if this can be verified or not? The way I view it, though things
are working now, either my setup is wrong or the book is wrong. I naturally
worry that my setup is wrong, and this worries me because I fear it may
manifest itself sometime later with unfavorable results..
Anyway, I mostly right this reply just to follow up with concise info of my
experience for later help when someone google's up the 4060 error, but my
problem has been fixed, though I'll continue to wonder about the level of
access I'm giving my divisional portal's app pool identity.
Thanks again,
S
"Wei-Dong XU [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:qas%23$FbXEHA.3776@cpmsftngxa10.phx.gbl...
> Hi S,
>
> I'd suggest the two articles of SPS administrator's guide will provide
some
> information.
> a) The section "Portal Site Application Pool Identity" of "Changing Access
> Accounts and Passwords" introduce the account of Application pool should
be
> a member of the db_owner database role in SQL Server on the configuration
> database.
>
> b) This article "Changing Access Accounts and Passwords" also introduces:
> "The account must be a member of the Power Users group on the server on
> which you installed SharePoint Portal Server. The account must have the
> Database Creators and Security Administrators server roles on the SQL
> Server instance. In addition, the account must be a domain account if you
> have more than one server in your configuration."
>
> Furthermore, from my view, you can feel free to use one high-permission
> account in the application pool. The SPS/WSS uses the OM(object model) to
> provide the service for the customer. When one user logons, any request he
> sends will be checked by OM; if passed security checking, then the OM will
> perform the corresponding operations. The account set in Application pool
> is used directly by SPS/WSS OM, not the client, so at this scenario, the
> operation performed in this account is controlled by OM: the managed
> operation. Generally speaking, this is a very secure mechanism for you.
>
> Please feel free to let me know if you have any further question.
>
> Best Regards,
> Wei-Dong Xu
> Microsoft Product Support Services
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no
rights.
- Next message: Travis75: "Auditing Create/Update Tasks"
- Previous message: Panku: "RE: Multiple connections in web parts"
- In reply to: Wei-Dong XU [MSFT]: "Re: Error code = 4060"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Error code = 4060"
- Reply: Yan-Hong Huang[MSFT]: "Re: Error code = 4060"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
