Automatically logged in as “System Account” after changing service accounts

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/84246

Question

Note: The steps listed below should resolve this issue in most cases. My situation involved my browser cache...

Whenever I access my SharePoint 2010 foundation page I am automatically logged in as "System Account". Attempting to sign in as a different user fails and attempting to use the farm account also fails. No authentication is required either from the browser on the server or from another computer on the same network.

I recently split out my service accounts in the following fashion:

  • SP_Admin: Local admin, farm administrator, timer service, app pool identity for central admin.
  • SP_WebAPPS: runs all web app pools
  • SP_ServiceAPPS: runs all service app pools
  • SQL_User: SQL Server Admin & SQL Services account

I am continuing to create users for my services.

Here are the steps I have tried so far to rectify this problem: (I've perfomed an IISRESET after each)

  • Check the IIS Application Pool Authentication method:

    • Start> Internet Information Services > Expand "Sites" > click on problem site > Right click on Authentication > choose "Basic Settings" > Find "Connect As" and see if an account is specified. Change to "Pass Through Authentication" if an account is specified.

  • Check the IIS Application Pool Identity:

    • Start> Internet Information Services > click "Application Pools"> Right click on target application pool> choose "Advanced Settings" > Find the "Process Model" grouping > Find "Identity" > Check that this is not a system account.
    • This setting should be changed via Central Administration>Security>Configure Service Accounts and not directly in IIS.
    • Choose the target web application from Central Admin and change the service account within "Configure Service Accounts". SharePoint will make all the appropriate permission changes etc.

  • Check the farm account:

    • Start>Central Administration>Security>Configure Service Accounts>Farm Account Check to see that the Farm Account is actually the account you intend to use for the farm and not a system account.
    • Be sure that the Farm Account has the appropriate level of access to your SQL Database before making a change to this setting. You will be locked out of Central Admin if the farm account does not have appropriate access and you will need to change the web application identity in IIS to regain access.

  • Check the user policy in the site:

    • Start>Central Administration>Web Applications>Manage Web Applications Click on target web application > click on "user policy" in the ribbon. Check a box next to a user account - click on "Edit Permissions of Selected Users"
    • Look to see if "Account operates as system" is checked.

  • Update farm admin using stsadm:

    • stsadm -o updatefarmcredentials -userlogin domain\sharepointAdminUser -password myPassword
    • Default location of stsadm for SharePoint 2010 Foundation: c:\Program Files\common files\microsoft shared\web server extensions\14\bin

  • Change the Web Application Service Account back to "Network Service"

    • This should prompt for credentials from the user...

No avail! What is left to do?

Was it helpful?

Solution

Ok! Looks like this is a self answer... But I want to leave the question up as a reference.

Apparently Internet Explorer was caching my credentials (DOH!) and logging me in as the system account (Farm Admin).

  • I had to log in as a different user and enter the correct domain information (DOH!) and then it forgot who I was.
    • I apparently failed to enter a domain name the first time I tried to switch users. SharePoint resides on a separate domain.
  • Oddly, Even a clear cache and browser restart didn't prevent it from re-authenticating as the farm admin...
    • Not sure why it would cling to the Farm Admin identity so tightly, but either way, the problem appears to be resolved.

OTHER TIPS

If you logon your Windows (regardless it is the Windows Server or your Win7 PC) with "System Account" (e.g. yourdomain.com\farmadmin), you got the authentication token. When you open your browser and access SharePoint site, your token will log you in without you re-type login/password.

You can use a PC or server outside your SharePoint's domain (i.e. any AD account not under yourdomain.com) to logon SharePoint site. Then you will get the password prompt again.

Another method is start Internet Explorer by using the Run as different user option, and then go to the SharePoint site. (Note: The Run as different user option is visible if you hold the Shift key when you right-click a program icon.) ref: https://support.microsoft.com/kb/2752600/en-us

I would say that it may be caused if your account is configured as Farm account. At least I had the same issue in SP 2013 - I was using DOMAIN\Administrator but SharePoint showed my user as "System Account". As soon as I changed farm account to be something different than DOMAIN\Administrator I got my user displayed as Administrator.

You can check/change this in CA > Security > Configure service accounts

There is another (although more remote) possibility that can cause this. Go to CA > Manage Web Applications, select the web app, and click the user policy ribbon button. Click on your name if it is in there and make sure the "Account operates as system" box is not checked. This mostly applies to admins

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top