“Access Denied” When Trying to Save a Web as Template in SP 2019 On-Premises

My customer tries to save a sub web “as template” using “/_layouts/15/savetmpl.aspx“.

He gets an “Access Denied” (“This site has not been shared with you”) page.

It took me a while to understand the ULS (SharePoint log). Finally I found the related lines.

Requiring ACPRight

The permission is being checked for a write operation

Requiring ManageListsRight and ACPRight as this is a write operation on catalog

Permission check failed. Asking for 0x00040802, have 0x7FFFFFFFFFFBFFFF

SPRequest.PutFile: UserPrincipalName=i:0).w|s-1-5-21-45689356773-24675323-1484686, AppPrincipalName= ,bstrUrl=https://sharepoint.farm ,bstrWebRelativeUrl=_catalogs/solutions/ikarstein.wsp ,cbFile=11111 ,punkSPFileMgr=<null> ,punkFFM=<null>

System.UnauthorizedAccessException: Access denied., StackTrace:   
 at Microsoft.SharePoint.SPFileCollection.AddStreamOrBytesInternal(String urlOfFile, Stream file, Int64 fileSizeToSave, SPFileStreamManager spmgr, Int64 fileOpt, String createdBy, String modifiedBy, Int32 createdByID, Int32 modifiedByID, DateTime timeCreated, DateTime timeLastModified, Object varProperties, String checkInComment, Stream formatMetadata, String lockIdMatch, String etagToMatch, SPLockType lockType, String lockId, TimeSpan lockTimeout, Boolean validateRequiredFields, Guid bitsSessionId, Guid originatorId, SPVirusCheckStatus& virusCheckStatus, String& virusCheckMessage, String& etagNew, Boolean& ignoredRequiredProps, SPFileInfo& fileProps)    
 at Microsoft.SharePoint.SPFileCollection.Add(String urlOfFile, Stream file, Hashtable properties, Boolean overwrite, Boolean requireWebFilePermissions)    
 at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent, String workflowTemplateName, String destinationListUrl, Action`1 solutionPostProcessor, Boolean activateSolution)    
 at Microsoft.SharePoint.ApplicationPages.SaveAsTemplatePage.BtnSaveAsTemplate_Click(Object sender, EventArgs e)    
 at System.Web.UI.WebControls.Button.OnClick(EventArgs e)    
 at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)    
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
 at System.Web.UI.Page.ProcessRequest()    
 at System.Web.UI.Page.ProcessRequest(HttpContext context)    
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)    
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)    
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)    
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)    
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)

Access Denied. Exception: Access denied., StackTrace:  
 at Microsoft.SharePoint.Library.SPRequestInternalClass.PutFile(String bstrUrl, String bstrWebRelativeUrl, Object punkFile, Int64 cbFile, Object punkSPFileMgr, Object punkFFM, SPFileSaveParams sfsp, SPFileInfo& pFileProps, UInt32& pdwVirusCheckStatus, String& pVirusCheckMessage, String& pEtagReturn, Byte& piLevel, Int32& pbIgnoredReqProps)    
 at Microsoft.SharePoint.Library.SPRequest.PutFile(String bstrUrl, String bstrWebRelativeUrl, Object punkFile, Int64 cbFile, Object punkSPFileMgr, Object punkFFM, SPFileSaveParams sfsp, SPFileInfo& pFileProps, UInt32& pdwVirusCheckStatus, String& pVirusCheckMessage, String& pEtagReturn, Byte& piLevel, Int32& pbIgnoredReqProps).

It took me a lot of time to figure that out…

$w = Get-SPWeb "https://sharepoint.farm"

$w.site.DenyPermissionsMask

([long]$w.site.DenyPermissionsMask).ToString("x")

0x7FFFFFFFFFFBFFFFL

0x7FFFFFFFFFFFFFFFL

0x7FFFFFFFFFFFFFFFL -bxor 0x40000

The line ” $w.site.DenyPermissionsMask ” returned the result: “AddAndCustomizePages” => A (A) C P => ACP ? => ACPRight … ?? There it was !!!

Hex: 0x40000 (line ([long]$w.site.DenyPermissionsMask).ToString("x") )

The long hex values showed me that exactly that right was for some reasons “denied” on the site collection.

I solved it using this command:

$w.site.DenyPermissionsMask = [microsoft.sharepoint.spbasepermissions]::EmptyMask

The previous setting can be restored with:

$w.site.DenyPermissionsMask =[microsoft.sharepoint.spbasepermissions]::AddAndCustomizePages

After the fix, I checked all site collections for this particular setting:

get-spsite -limit all | % {
    if( ($_.DenyPermissionsMask) -ne "EmptyMask") {
        write-host $_.url  -ForegroundColor red
        write-host "`t" ($_.DenyPermissionsMask) -ForegroundColor red
    } else {
        #write-host $_.url  -ForegroundColor green
    }
}

… No other site collection has had a setting other than “EmptyMask”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.