My Site creation failure for user after moving My Sites to dedicated web application

Question

I have created a new web application at port 8080 with the intention of having all personal site creation (i.e. My Sites) stored in a dedicated WSS_Content database (i.e. a best practice recommendation).

I've gone through all the steps needed, I think:

• created MySitesCollection using Enterprise Template "My Site Host" at root of http://SPstaff:8080 and this top-level site was successfully created
• Enabled self-service site creation for the web application (changed radio button to ON). I got a Warning: Self-Service Site Creation will create sites under a shared host name which I didn't understand (maybe relevant?)
• Added a managed path /mysites to this web app
• Configured My Site settings for the User Profile service application by clicking Setup My Sites such that My Site Host set to http://spstaff:8080/ and Personal Site Location set to mysites.

When I first tried browsing to SPstaff:8080/mysites/ I got a reasonable error in Windows Event Log:

Cannot open database "WSS_Content_SPSTAFFMySites" requested by the login. The login failed. Login failed for user 'CBMIWEB\spAppPool'

So I added this user to this newly created database and I no longer get that error.

Instead, I am getting errors like this sequence:

First error is Event ID: 6141 Task Category: Topology

The site /mysites/joanc could not be created.  The following exception occurred: Attempted to perform an unauthorized operation

Next entry in Application Log is Event ID: 5187 Task Category: Administration

My Site creation failure for user 'CBMIWEB\joanc' for site url `'http://spstaff:8080/mysites/joanc'`. 
The exception was: Microsoft.Office.Server.UserProfiles.PersonalSiteCreateException: A failure was encountered while attempting to create the site. ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask)
at Microsoft.SharePoint.SPSecurity.ValidateSecurityOnOperation(SPOperationCode code, SPSecurableObject obj)
at Microsoft.SharePoint.SPFeature.AddRowToFeaturesTable(SPFeaturePropertyCollection props, SPSite site, SPWeb web, Boolean fForce)
at Microsoft.SharePoint.SPFeature.Activate(SPSite siteParent, SPWeb webParent, SPFeaturePropertyCollection props, Boolean fForce)
at Microsoft.SharePoint.SPFeatureCollection.AddInternal(SPFeatureDefinition featdef, Version version, SPFeaturePropertyCollection properties, Boolean force, Boolean fMarkOnly)
at Microsoft.SharePoint.SPFeatureCollection.AddInternalWithName(Guid featureId, String featureName, Version version, SPFeaturePropertyCollection properties, Boolean force, Boolean fMarkOnly, SPFeatureDefinitionScope featdefScope)
at Microsoft.SharePoint.SPFeatureManager.EnsureFeaturesActivatedCore(SPSite site, SPWeb web, String sFeatures, Boolean fMarkOnly)
at Microsoft.SharePoint.SPFeatureManager.<>c__DisplayClassa.<EnsureFeaturesActivatedAtSite>b__9()
at Microsoft.SharePoint.SPSecurity.RunAsUser(SPUserToken userToken, Boolean bResetContext, WaitCallback code, Object param)
at Microsoft.SharePoint.SPFeatureManager.EnsureFeaturesActivatedAtSite(Byte[]& userToken, Guid& tranLockerId, Int32 nZone, Guid databaseid, Guid siteid, String sFeatures)
at Microsoft.SharePoint.Library.SPRequest.SscCreateSite(Guid gApplicationId, String bstrUrl, String bstrServerRelativeUrl, Int32 lZone, Guid gSiteId, Guid gDatabaseId, String bstrDatabaseServer, String bstrDatabaseName, String bstrDatabaseUsername, String bstrDatabasePassword, String bstrTitle, String bstrDescription, UInt32 nLCID, String bstrOwnerLogin, String bstrOwnerUserKey, String bstrOwnerName, String bstrOwnerEmail, String bstrSecondaryContactLogin, String bstrSecondaryContactUserKey, String bstrSecondaryContactName, String bstrSecondaryContactEmail, Boolean bADAccountMode, Boolean bHostHeaderIsSiteName, Int32 iDatabaseVersionMajor, Int32 iDatabaseVersionMinor, Int32 iDatabaseVersionBuild, Int32 iDatabaseVersionRevision)
at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName)
at Microsoft.SharePoint.SPSite.SelfServiceCreateSite(String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String contactLogin, String contactName, String contactEmail, String quotaTemplate, SPSiteSubscription siteSubscription)
at Microsoft.Office.Server.UserProfiles.UserProfile.<>c__DisplayClass2.<CreateSite>b__0()
--- End of inner exception stack trace ---
at Microsoft.Office.Server.UserProfiles.UserProfile.<>c__DisplayClass2.<CreateSite>b__0()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.Office.Server.UserProfiles.UserProfile.CreateSite(String strRequestUrl, Boolean bCollision, Int32 lcid)

Other symptoms using my personal logon browsing to http://spstaff:8080/mysites/johna are the un-helpful "Internet Explorer cannot display the webpage".

I am not sure what is wrong.

Answer 1

• My setup for this was generally OK but my choices for the new web application introduced a need for "host headers" and an arbitrary port of 8080
• The name requiring "host headers" required unneccessary complication so the entire web application was deleted
• This new web application still failed (even after all the proper steps taken)
• Captured HTTP traffic with Fiddler2 and errors led me to suspect Firewall(s) rules
• Ultimately, the Windows Firewall on our Sharepoint server needed a new rule added for Inbound traffic (to allow port 81).

So the objective has been achieved but I wonder if I could have avoided using a different port number? Could I have added a 2nd web application (to achieve the separation of content to a diffent database) that also used port 80? Could a wildcard managed path for mysites at the root of this 2nd web app have been sufficient?