Access Denied only to Project Web Access

[Rick L. Martin]

We are running the demo ProjectServer2007 all on one server. I have set it
up literally 10 times now, all with the same issues. I set it up using
Kerberos, making sure to set the SPN's and account delegate permissions as
all the instructions say out there (another question, should I use Kerberos
or just NTLM?). So, this single Windows 2003 server is also a domain
controller in our Windows 2003/2008 domain environment (one DC is 2008 and
this one is 2003).

So this server is running SQL 2005, Windows 2003 as a domain controller, and
then the install for Project Server 2007 which includes SharePoint Server. I
get it all setup using just a SQL Services account that all SQL services
start under, a ServerFarm account for install and setup and Shared Services,
an Application Pool account, and a Search/Crawler account.

All the website works great based on permissions of each application
websites, the main team website works, the SharePoint Admin website works,
the main Central Admin website works. I can access all these sites as my
personal domain account, which is a domain admin and set as an additional
admin under each one of those sites, all which looks to be using Kerberos
when looking at the security logs on that server.

So now I setup the PWA site, which only asks for one account during setup
which is the administrator of the Project Web Access server. First off,
which should that account be???? Because it seems that the only account that
can ever access the PWA, is the account that I put here during setup. If I
set the domain administrator, then that account can access it and my personal
account gets access denied at the PWA, even when I go to the PWA site
settings and add my personal domain account as an admin with full rights.

If I recreate the PWA (or create another one) and put my account as the
administrator during setup, then I can access it just fine and the domain
admin cannot. What's the deal???

I also noticed that the main server farm account in SQL has dbowner access
in the SQL databases for those Project databases, but there is also a role
called ProjectServerRole but with no account having access to that role. If
I try and give the server farm account access to that role, I get a SQL
server account error that I cannot change the dbo. Please help!

 

[Rick L. Martin]

Also, when I do try and access the Project website from my personal account,
I get the following error in the event logs on the server.

Failed to get language information for Project Server (http://team/pwa)

 

[Ben]

Hi Rick,
The only account that will let you log in after the intial installation is
the administrator account that you type in when you create the Project Web
Access site - so that account should be whoever is going to be the PMO
adminstrator; in your case I would set it to your personal AD account. Then,
you can add other users to the system, and you can choose to give them
Administrator access, or PM access, or Team Member access according to their
role in your organisation.

 

[Marc Soester [MVP]]

Hi Rick,

Ben has already given you the right answer, I just wanted to add that
somethimes organisations use the service account by mistake when thery
install Project Server. If you cant find out what your admin account is, you
may want to try the service account.
Hope this helps

 

[Rick L. Martin]

Yes, as I mentioned, I already logged into the PWA, went to its Site
Settings, and added the permissions there. I added my account as a Full
Control and a Project Owner Administrator, even added it as one of the
Website Admins, and it doesn't work. I added Domain Users and even
Authenticated Users with access, and still no go.

 

[Ben]

Hi Rick,

You are attempting to do this via Site Settings, and this is not correct.
Project Server permissions and users are set via the following method..

Login into Project Web Access
Click on Server Settings (in the links menu).
Click on Manage Users, and add a New User there. Don't set individual
permissions, but add the users to the relevant groups. You can create new
groups and categories as appropriate.

In the 1st instance I would just add your AD account to the administrators
group.

 

[Rick L. Martin]

HAHAHA!! Oh my goodness!!!!! I have been uninstalling, reinstalling,
reading forums and hints and documents for literally a week, and this is how
easy it was! THANK YOU VERY MUCH!!!! I feel like a total idiot now. Thanks
again!

One more question, I have read some about the Active Directory sync and now
see that option in here. Should I set that up? I currently don't have any
"MS Project" related groups setup in Active Directory. Do I need to setup
groups first like a Read Only group, Project Manager group and so on in AD,
before even coming in here into the Project Management and setting those
groups? Cause, my Domain Users group only consists of all active users in
the company, all of which would need at least Read Only access. Can I set
the Domain Users group as Read Only, and then create additional Project
groups for more high-level access?

 

[Ben]

Hi Rick,
Glad that fixed it.

Synchronisation works on two levels, the 1st for enterprise resources, and
the 2nd for groups and permissions. Can I suggest you read this
http://technet.microsoft.com/en-gb/library/cc197530 in the 1st instance, and
then you may want to create a group which you synch your AD to. Note that
you'll need to the relevant licences for each user, and depending on the size
of your AD, this may or may not be a good idea.