Powershell SharePoint 2016 csom 403 forbidden error

So new to CSOM and wanting to know if I am coding something wrong or where I need to look to resolve this issue. Or even if there is a SharePoint 2016 security setting that needs to be enabled for CSOM to work.

Also note, authentication is via Claims Authentication on the site it doesn’t work on.



Add-Type -Path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.Runtime.dll' Add-Type -Path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.dll' $  SharePointSite = 'https://Sharepointsite/sites/sitename' $  SharePointGroup = 'Test Group' $  Creds = Get-Credential $  SPContext = New-Object Microsoft.SharePoint.Client.ClientContext("$  SharePointSite")   $  SPContext.Credentials = $  Creds $  SPGroups=$  SPContext.Web.SiteGroups  $  SPContext.Load($  spGroups)          $  SPGroups=$  SPGroups.GetByName("$  SharePointGroup") $  SPContext.Load($  SPGroups)         $  SPContext.ExecuteQuery()  $  SPGroups.Title 

On my test side which is http://sharepointsite/site/testsite it works fine and finds the group.

On the root of the test site, https://sharepointsite/ it works and returns no group found.

On another site under the same root http://sharepointsite/sites/othersite it fails with “Access denied” but I don’t have access to that site.

When I test to an https://sharepointsite2 or https://sharepointsite2/site/testsite I get “403 Forbidden” But I have full access to sharepointsite2 root, sites, and central admin.

403 FORBIDDEN code posting to list

I am trying to post to a list with a custom form. Each time I try to submit my for the console prints out a “403 FORBIDDEN” error. I have Site Collection Admin rights for the entire site. Here is my code:


Onboard Date:

No Yes

$ (function () { bindButtonClick();


function bindButtonClick() { $ (“#btnSubmit”).on(“click”, function () { addListItem(); }); }

function addListItem() { var title = $ (“#txtTitle”).val(); var position= $ (“#position”).val(); var date = $ (“#datePicker”).val(); var oCheck = $ (“#choiceO”).val();

var fullUrl = "site/_api/web/lists/GetByTitle('FormDemo')/items";  $  .ajax({     url: fullUrl,     type: "POST",     data: JSON.stringify({         '__metadata': { 'type': 'SP.Data.FormDemoListItem' },         'Title': title,         'Position': position,         'OnboardDate': date,         'O': oCheck     }),     headers: {         "accept": "application/json;odata=verbose",         "content-type": "application/json;odata=verbose",         "X-RequestDigest": $  ("#__REQUESTDIGEST").val()     },     success: onQuerySucceeded,     error: onQueryFailed }); 


function onQuerySucceeded(sender, args) { $ (“#divResult”).html(“Item successfully added!”); }

function onQueryFailed() { alert(‘Error!’); }

Pen test results for web application include a file from a forbidden directory that is not even used or referenced

In a recent pen test of a web application one of the issues found was a ‘backup file’. This was a javascript file that was renamed to filename.js1 when an updated version of filename.js was uploaded.

The ‘backup file’ lives in a directory with forbidden listing and is not referenced or used anywhere in the application.

How did they find this file?

403 Forbidden Error Apache2 Ubuntu (Tried everything and all solutions I’ve ready.)

I know that this has been posted about A TON, but I have spent the last day scouring through answers, trying everything and nothing is working. I’ve changed permissions, I’ve looked into the Apache2 logs, I’ve altered configuration files, and I’m still getting the 403 forbidden error. Here are the apache2. My html files are in /var/www/html

I’m not completely sure, but I do recall troubles starting after trying to create user directories using: sudo a2enmod userdir

In side the apache error logs, the only thing on there that could be leading to something is this:

(13)Permission denied: [client myip] AH00035: access to  /folder/data/index.html denied (filesystem path  '/var/www/html/folder/data/index.html') because search permissions are  missing on a component of the path 

In my /etc/apache2/sites-available/000-default.conf, I added the following at the very end:

<Directory /var/www/html> AllowOverride All </Directory> 

In my apache2.conf I have the following:

<Directory />         Options FollowSymLinks         AllowOverride None         Require all denied </Directory>  <Directory /usr/share>         AllowOverride None         Require all granted </Directory>  <Directory /var/www/>         Options Indexes FollowSymLinks         AllowOverride ALL         Require all granted </Directory>  <Directory /var/www/html>         Options Indexes FollowSymLinks         AllowOverride ALL         Require all granted </Directory>  Again, I'm VERY sorry that I needed to make this thread, but I don't want to continue to copy and paste solutions that could do more harm than good. 

App Step Forbidden error message – updating permissions group SP Designer 2013

When I try to run a Designer 2013 workflow with an App Step, I get the following results from my log:

7/25/2019 4:20 PM HRO ID: i:0#.f|membership|bob@bob.gov 7/25/2019 4:20 PM {“__metadata”:{“type”:”SP.User”},”LoginName”:”i:0#.f|membership|bob@bob.gov”} 7/25/2019 4:20 PM ***User Add Response Code: Forbidden

I have configured my site to allow App Steps – I can create them in my Designer workflows and publish them successfully. I know the URL I’m passing the REST call is correct because if I paste the URL directly into my browser, I get a successful result showing me the actual members of the permissions group I’m trying to update.

What should I be looking at in configurations to remedy this?

Apply-PnPProvisioningTemplate (403) Forbidden, There is no Web named “/SiteURLName/_vti_bin/sites.asmx”

We use Powershell and PNP to create sites and apply tenants. I’ve had pauses coded into the script to allow time for commands to complete in the past. Lately we’ve encountered the “(403) Forbidden” error much more frequently and even waiting overnight sometimes is not long enough before we can apply the PNPTemplate to the new site. I’ve also noticed this difference depending on authentication:


  1. Why are we consistently getting the 403 Forbidden error?
  2. Why does -weblogin result in a different error of “There is no web named /testcommnew1/_vti_bin/Sites.asmx”, even though the asmx page does exist as show below?

enter image description here

ClientContext giving 403 Forbidden error

I am hosting my site in Azure

Azure and Office 365 have same account detail. But when I am using the following code it’s giving 403 error.

Also while accessing Azure site I already logged in Office 365 then also not able to take ClientContext. As I am aware i’ts SSO by Azure & Office 365.

 try  {      var siteUrl = "https://Office365Site";      using (var clientContext = new ClientContext(siteUrl))      {          clientContext.Load(clientContext.Web, web => web.Title);          clientContext.ExecuteQuery();          Response.Write(clientContext.Web.Title);       }  }  catch (Exception ex)  {      Response.Write(ex.Message);  } 

Please help in this issue.

400 Bad Request “Forbidden”

Estou a testar o Jasmin através da versão demo e já criei a aplicação e correspondente subscrição no nitrogen.

Através dos exemplos do Postman do repositório Github, já consigo obter o access token “client credentials”.

Mas, ao tentar utilizar outros endpoints como, por exemplo, o /billing/invoices disponível também nos Postman samples, recebo sempre um 400 Bad Request com message: “Forbidden”.

Estou a usar o Authorization em forma de Bearer Token.

Aqui vai o body:

GET /api/xxxxxx/xxxxxx-yyyy/billing/invoices HTTP/1.1 Host: my.jasminsoftware.com Content-Type: application/x-www-form-urlencoded Authorization: Bearer zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz User-Agent: PostmanRuntime/7.15.0 Accept: */* Cache-Control: no-cache Postman-Token: d0c5a19c-5448-4c19-b565-f09d80b7b883,3b40913b-1254-4e82-9370-4a9d0e49974d Host: my.jasminsoftware.com accept-encoding: gzip, deflate Connection: keep-alive cache-control: no-cache 

O que poderá estar errado ou a faltar?