theme-sticky-logo-alt

SharePoint 2013 Apps do not load CSS properly 403 – defaultcss.ashx

10 Comments

Last week I was confronted with a pretty big SharePoint 2013 Apps Error. After setting up the Environment using my own guide that worked almost a dozen times before, whenever I entered an application, the CSS didn’t load properly and the app looked something like this:

SharePoint 2013 Apps do not load CSS

I did check the network monitor when loading and at first, I have found this:

So I thought it was getting a 404 somewhere… however on a second app there were absolutely no 404’s. I then turned on verbose logging and watched ULS in real time and found the following Logs. I know it’s quite a pack of ULS logs, however they will help future victims of this bug find this post!

defaultcss.ashx: using elevated codepath to get css file or other resource because the non-elevated code path failed to get it. System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.SetWebMetainfo(String bstrUrl, Object varMetainfo)
at Microsoft.SharePoint.SPWeb.UpdateProperties(StringDictionary data)
at Microsoft.SharePoint.SPWeb.set_MasterDefaultCss(String value)
at Microsoft.SharePoint.SPWeb.get_MasterDefaultCss()
at Microsoft.SharePoint.ApplicationPages.DefaultCss.GetResourceUrl(SPWeb web, Boolean getResource)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.ProcessRequest(HttpContext context)
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:
at Microsoft.SharePoint.SPWeb.UpdateProperties(StringDictionary data)
at Microsoft.SharePoint.SPWeb.set_MasterDefaultCss(String value)
at Microsoft.SharePoint.SPWeb.get_MasterDefaultCss()
at Microsoft.SharePoint.ApplicationPages.DefaultCss.GetResourceUrl(SPWeb web, Boolean getResource)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
SPRequest.OpenWeb: UserPrincipalName=, AppPrincipalName= ,bstrUrl=http://vladtest.domain.ca/My FAQ List
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:
at Microsoft.SharePoint.SPWeb.InitWeb()
at Microsoft.SharePoint.SPWeb.get_Title()
at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.<>c__DisplayClass3.<ProcessRequest>b__0()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
UnauthorizedAccessException for the request. 403 Forbidden will be returned. Error=Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime& pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID, Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour, Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl, String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl, String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags, DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion, Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId, String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime& pdtReminderDate, UInt64& pmaskDeny)
at Microsoft.SharePoint.SPWeb.InitWeb()
at Microsoft.SharePoint.SPWeb.get_Title()
at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.<>c__DisplayClass3.<ProcessRequest>b__0()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Application error when access /_layouts/15/defaultcss.ashx, Error=Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime& pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID, Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour, Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl, String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl, String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags, DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion, Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId, String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime& pdtReminderDate, UInt64& pmaskDeny)
at Microsoft.SharePoint.SPWeb.InitWeb()
at Microsoft.SharePoint.SPWeb.get_Title()
at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.<>c__DisplayClass3.<ProcessRequest>b__0()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.ApplicationPages.DefaultCss.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


The important part to see is that in the following logs, we have acces denied on an important app file which is defaultcss.ashx

defaultcss.ashx: using elevated codepath to get css file or other resource because the non-elevated code path failed to get it. System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Application error when access /_layouts/15/defaultcss.ashx, Error=Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
UnauthorizedAccessException for the request. 403 Forbidden will be returned. Error=Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Also by watching it with Fiddler I had realized there were 403 errors on that file

Screenshot Property of Tobias Wolter because I forgot to take one myself!

Now at least, I had some ULS logs to research on, however the only person I found had this bug had written about it in German and Google translate did a really poor job . That person is Tobias Wolter, and if you understand German, you can also read about this topic on his blog here: http://www.standard-cloud.com/2013/04/sharepoint2013-apps-konfiguration-bug/ .

I tried excluding the permission problem, so I gave ALL SharePoint Service Accounts Full admin on SP Server, SysAdmin on SQL, and full control on Web Application. Did IISReset and reboots but nothing!

To continue debugging, I also tried using ProcMon to find what account was trying to get that file, however it had SUCCES on accessing it… So that didn’t help!

Then, when I was about to give up I finally found the solution. To put you in context, before this moment, when I was installing a SharePoint 2013 farm, I had two Application Pools as per *old* SharePoint Best Practices. One for the MySites and one for the rest of the Web Applications. I wasn’t a firm believer in the Host named Site Collections Model yet. However, I was well aware that Microsoft is advising us to only have 1 Web Application (= 1 App Pool = 1 App Pool Account) in SharePoint 2013.

Solution

Now, as you know if you set up apps in SharePoint 2013, you need an “Empty Host Header” Web application. Well I found out that apps will work only in Web Applications that will use the same Application Pool Account as the Empty Host Header Web Application. To make it safe, I suggest you put it in the same pool (that’s what I did) and it worked. In other words… if you have this error and you’re reading this blog post it’s because you use two application pool accounts! You need to go back to using only one! In other words

I am really glad I finally found the problem and wanted to thank the following people for providing great ideas on twitter and SharePoint Community!

Thank you!

Leave a comment and don’t forget to like us on Facebook here and to follow me on Google+ here and on Twitter here  for the latest news and technical articles on SharePoint.  Also, don’t forget to check out SharePoint Community.Net for more great SharePoint Content

Previous Post
Create a scripted SharePoint 2013 Development Environment Tutorial – Part 3
Next Post
Create a scripted SharePoint 2013 Development Environment Tutorial – Part 4

10 Comments

  • September 4, 2014 at 3:07 pm
    • September 12, 2014 at 1:00 pm

      Glad I could help and thanks for posting it in the MSDN forums as well to help more people!

      Reply
  • September 17, 2014 at 11:59 pm
    Pell

    Great post! I thought I’d share something that we discovered today. We had the exact same issue as you have above with Access Apps, however, there is a reason why we have 2 app pools running under separate service accounts and do not have the luxury of changing them. After much digging, we found that if you go the Apps Permissions page (site contents, find the app, click ellipsis (…), select permissions) and then click the ‘If there’s something wrong with the app’s permissions, click here to trust it again’ link, this resolved the issue.

    Unfortunately, this must be done for each instance of the app, and therefor is just a workaround, but I thought this was interesting and might be helpful to some.

    Reply
    • September 25, 2014 at 12:57 am

      That’s a great way of fixing it and thank you very much for sharing the fix! I am sure it will be helpful!

      Reply
      • February 23, 2015 at 12:04 pm
        Sajjad

        I am new to sharepoint and have installed on my laptop so, I tried your solution of again clicking on Trust It but unfortunately it did not work for me. My central Admin and the web app i have deployed app is pointing to different web application pools. First time i faced an issue in deploying the app through visual studio “Error occurred in deployment step ‘Install app for SharePoint’: The System Account cannot perform this action.” then i solved it by running visual studio as an administrator after login as a different windows user and that windows user was the site primary administrator where i was trying to deploy the app. Finally it is done but without CSS. Now if i try to deploy app from visual studio i face the same above error. And even by trusting it again is not solving the issue. Any help please. I really appreciate.
        Thank You

    • August 12, 2015 at 6:49 pm
      Jordan

      That totally saved me!
      Does anyone know how or why an app becomes untrusted?

      Reply
  • September 16, 2015 at 10:41 am
    IU

    This sounds like the same problem that I am facing right now with date time picker. The only difference is my organization is using SharePoint Online and the issue persists on only a few sites.

    Reply
    • September 16, 2015 at 10:42 am
      IU

      Clicked the return key too fast. Anyone can help me with this issue with SharePoint Online?

      Reply
      • December 13, 2017 at 10:18 pm
        Richard

        Hello, is the problem solved now? I am very much looking forward to knowing the solution

  • March 5, 2018 at 2:20 am
    Christian

    Quick fix for me was to simply “Trust the app”.

    Reply

Leave a Reply

15 49.0138 8.38624 1 0 4000 1 https://vladtalkstech.com 300 1