The background of this question is that my current task is to develope an application page which enables users to create site collections. The properties of the site collection are read from a list item. My solution works in most cases. However, there is one configuration of application pool identities where it throws an access denied and I'd like to understand why this is happening.
A (very) stripped-down version of my code looks like this:
SPSecurity.RunWithElevatedPrivileges(delegate { try
{
SPWebApplication webApp = this.Web.Site.WebApplication;
SPSiteCollection siteColl = webApp.Sites;
SPSite newSite = siteColl.Add(mngPath + siteUrl, siteName, siteDesc, LocaleId,
null, primarySiteAdmin, String.Empty,
String.Empty));
});
The UnauthorizedAccessException is thrown when the Identities are set as following:
SharePoint Central Administration v4 --> localdomain\adminaccount
SharePoint - 80 --> NetworkService
All other combinations of NetworkService and domain\adminaccount do work. Dose someone have an explenation for that?
UPDATE
I guess that you have to run your sharepoint app pool using the same user as the central administration app pool in order to have sufficient rights on the DB. But that still does not explain why it works under the following configuration:
SharePoint Central Administration v4 --> NetworkService
SharePoint - 80 --> localdomain\adminaccount
BTW, another question on SA provides a solution (and some more details of the problem). See Permission to provision new site collection through workflow.