SharePoint 2013 Configuration Wizard “Access Denied” on Step 5 “Failed to Register SharePoint Services”

Question

Right now, I cannot access my Central Admin. (Access Denied) When I run the configuration wizard to rebuild Central Administration, it errors out on Step 5 "Registering SharePoint Services" with an "Access Denied" message. The log file generates the following error:

DATE TIME 12 ERR Task services has failed with an unknown exception DATE TIME 12 ERR
Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(Unauthorized AccessException ex) at Microsoft.SharePoint.Library.SPRequest.GetListsWithCallback(String bstrUrl, Guid foreignWebId, String bstrListInternalName, Int32 dwBaseType, Int32 dwBaseTypeAlt, Int32 dwServerTemplate, UInt32 dwGetListFlags, UInt32 dwListFilterFlags, Boolean bPrefetchMetaData, Boolean bSecurityTrimmed, Boolean bGetSecurityData, Boolean bPrefetchRelatedFields, ISP2DSafeArrayWriter p2DWriter, Int32& plRecycleBinCount) at Microsoft.SharePoint.SPListCollection.EnsureListsData(Guid webId, String strListName) at Microsoft.SharePoint.SPListCollection.get_Count() at Microsoft.SharePoint.Administration.SPAdministrationWebApplication.get_Healt hRules() at Microsoft.SharePoint.Administration.Health.SPHealthAnalyzer.RegisterRules(As sembly assembly) at Microsoft.Office.InfoPath.Server.Util.HealthAnalyzerRegistration.RegisterHea lthRules() at Microsoft.Office.InfoPath.Server.Administration.FormsService.Update() at Microsoft.SharePoint.PostSetupConfiguration.ServicesTask.InstallServiceInCon figDB(Boolean provisionTheServiceToo, String serviceRegistryKeyName)
at Microsoft.SharePoint.PostSetupConfiguration.ServicesTask.InstallServices(Boo lean provisionTheServicesToo) at Microsoft.SharePoint.PostSetupConfiguration.ServicesTask.Run() at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

So, let me start by saying that this is NOT a fresh install. This farm has been up for 3+ months.

So, what's recently changed? I was troubleshooting a PowerPivot issue in Central Admin in regards to Claims and Permissions. The last change I remember doing right before I lost my Central Admin was I ran the following command:

$wa = Get-SPWebApplication https://centraladminurl
$wa.MigrateUsers($true)

It was referenced in an article for fixing Claims issues on Normal Web Apps, but for whatever reason I thought it'd be okay to run on my Central Admin, which I'm almost certain last time I checked, was using Windows Authentication Provider.

I don't know where to start on troubleshooting this issue. There's not a lot of info that I could find on the above command, but as I understand it, it changes the user values in permission policy from domain/user to claims prefix:domain/user. But, how would this affect my ability to use the Config Wizard?

I don't want to make so many changes to fix one thing just to be fighting all the changes I made later on.

Answer 1

So, I was able to finally get into central admin by using the central admin application pool identity. Being that the Authentication Provider for central admin was still 'Windows' I had to add the install account and myself back into the permission policy as domain\user since all users had the i:0#.w| prefix. The install account was then able to run the config wizard past step 5. The only issue I'm having now is trying to revert all my user accounts back to Windows format in the permission policies because I'm running into issues with clicking certain links in Central Admin (i.e. Configure Service Accounts) returning 'Sorry this page hasn't been shared with you.' Im fairly certain this is because I now have entries in the permission policy in both Windows and Claims format.

I'm going to try the steps listed in this link tomorrow and let you all know the results: http://sharepointegg.blogspot.in/2011/01/reverting-claim-based-authentication-to.html?m=1

This should revert all the current claims formatted users back to Windows, but will break all the Windows formatted users that I recreated today, so I'll remove these after.