Access denied when trying to open a site when on the server

I just wasted half a day trying to figure out why some feature code was not working.
The feature code used HTTPRequest to get a file from the layouts folder- and kept failing with “Access Denied”.
It also turned out that when I logged on to the server I couldnt browse to the site - it asked me for credentials all the time.
After wasting a long time debugging and troubleshooting, this support article saved the day - a little registry change and everything works.

Access denied when trying to get to shared services

In the last couple of days a person next to me was trying to install SharePoint and failing every time with the shared services. After setting up the shared services, he couldnt open the shared services site - it would "access denied" him, no matter what account he tried to log on as (and we even tried the application pool account).
We immediatly suspected that kerberos wasnt configured correctly, that we didn't give enough local permissions for a system account or that some metaphysical entity just hates us sooo much.

Today I sat with the guy and watched him configure everything correctly. Still - access denied. damn!.
I turned to my trusty friend google, typed "sharepoint ssp access denied" in the search box and the second result had not only a workaround - but also an explanation why it happened and how to avoid it in the future.
So first of all - thank you Faraz for finding a work around, but more importantly - thanks to Scott who wrote the following in the comments:
"DO NOT call you SSP the same name as the AppPool you use for the SSP Admin Site.
The SSP actually uses its name to create an AppPool for use under the Office Search site.
If your SSP Admin AppPool is the same name then MOSS sets it to use the timer svc account.
If your hosting then call the SSP Admin AppPool 'Company - SSPAdmin' and the actual SSP 'Company - SSP'. This will stop MOSS clobbering the accounts."

This was exactly what we did wrong! We created a new SSP and this time made sure the SSP name is different from the application pool name, and here we go! ready to start.
So, if you are the Scott who wrote that comment - I thank you.

Email Alerts not getting sent, while other emails are

Had this recently at a customer's - the server would send emails if you added a user to a site, or if you registered for an alert - you'd get the email saying the alert was activated. But when someone added an item to the list, you didnt get the email for the alert.

Looking in the Timer Job Status list in central admin showed that we had two front end servers, and on one of them the "Immediate Alerts" job was always on "failed". After much research and head banging, a collegue of mine suggested I look into the relay settings of the SMTP server.
When I opened the relay settings I found to my surprise that the IP addresses that were configured to allow relay did not include the IP address for one of the front end servers. Adding that IP address resolved the problem.

Now the alerts are working, but for some reason the " Send e-mail when ownership is assigned" on a task list is not working. Wish I knew how to fix that...

How to remove farm administrators permissions from a site?

A friend asked me how can we remove farm administrators from having permissions on a specific site. Removing the permissions from the site collection and the site itself just did not work - the users who were farm admins could still browse the site and do whatever they want to it.
The answer was that in central admin, under "applications" there is a link: "Policy for web application" which allows you to set permissions at the web application level. It turns out that the farm admins have full permissions there for the application, and until you remove them from there, they will be able to go into any site in the web application.

Hotfix lets you store WSS data outside of SQL

If you missed this, give the following KB article a read. It is short, and to the point - a new hotfix is out that lets you store WSS data on external storage- out of SQL.
KB938499

Object model code and stsadm fail with "Access Denied"

This frustrated me when I was trying to use my utility pack on a server that I had local admin rights on. Every time the utility pack tried to do something in code that involved sharepoint (like SPSite site = new SPSite(path)) I go an access denied error, even though I was an admin of the site as well!
I then noticed that it's not just the utility pack that is not working. Backup would fail with similar errors, and stsadm would not install my solutions.Access Denied! Access Denied! Access Denied!
arrrrgghhhhh!

After some research I came to the conclusion that direct SQL permissions are required for the user who is running the sharepoint code. For web parts, event handlers and workflows this is usually the application pool user who is given permissions on the SQL databases directly when you create the web application. But if you want to run a console application or a windows application like mine, or if you want to do actions like backup or installations using stsadm, you still need to have those rights.

My theory got confirmed a couple of days ago in the msdn forums, in a post where someone asked about a similar problem and I replied with what I knew. Pat Miller from Microsoft replied to affirm my theory and said "If you run code in the context of the web site, the account that the web server is running has access to the SQL box. When the system needs access to SQL, it can revert to the process account (which has rights). However if you are running from a command line, there is no underlying account that can be reverted to. Instead, the account running the operation has to have access to the appropriate resources. ".

I asked him about least privileges needed by an account to run server code, but he couldn't give me specifics, so this is still open. I worked with my DBA and he concluded that "Datareader/datawriter provide the ability to access/update any table in the DB. It appears that the scripts also call on stored procs and this is why the db_owner rights were required.". He adds that we could try to trim down the permissions for the user and find the least privileges, but we both don't have the time to do that right now.

I wonder if anyone else knows what minimum set of rights are required to run code on the server (and stsadm of course).

Plan for administrative and service accounts [Office SharePoint Server]

Ran across this great technet article explaining exactly what accounts you will need to set up sharepoint in production, and what level of permissions to give each one.
http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx?pf=true