Super User and Super Reader accounts

The Portal Super User and the Portal Super Reader accounts are used for caching objects in SharePoint and  heavily used by the publishing feature. By default out of the box  the Portal Super User account is the site’s System Account, and the Portal Super Reader account is NT Authority\Local Service. Microsoft recommendation is not to use these out of the box accounts and replace them by creating your own Portal Super User and Portal Super Reader accounts.

Important
The Portal Super User and Portal Super Reader accounts must be separate accounts, and they must not be accounts that will ever be used to log in to the site.

when completing the setup for these accounts  you must reset Internet Information Services (IIS) to apply the changes to the web application.

Setup
These steps needs to be carefully executed or they can cause the site to stop working and users can get the “Something went wrong” error page.  This setup is a tree step process that needs to be fallowed in this sequence.

  1. create an AD account SP_[yourfarmname]_SuperReader  SP_[yourfarmname]_SuperUser. this should be an account that never expries and doesn’t need to reenter new password for the first time.
  2. Add the accounts to the Application User Policy using Central Admin
    • Verify that the user account that is performing this procedure is a member of the Farm Administrators group on the computer that is running the SharePoint Central Administration website.
    • In Central Administration, in the Application Management section, click Manage web applications, and then click the name of the web application that you want to configure.
    • On the Web Applications tab, in the Policy group, click User Policy.
    • In the Policy for Web Application window, click Add Users.
    • From the Zones list, select All zones, and then click Next.
    • In the Users box, type the user name for the Portal Super User account and then click Check Names to ensure that the account name can be resolved by the authentication providers on the application server.
    • In the Choose Permissions section, check the Full Control – Has full control box and then click Finish.
    • Repeat Steps 5 through 7 for the Portal Super Reader account.
    • In the Choose Permissions section, check the Full Read – Has full read-only access box.
    • Click Finish.
    • Make note of how the names for the Object Cache Super Reader and Object Cache Super User accounts are displayed in the User Name column. The displayed strings will be different depending on whether you are using claims authentication for the web application.
  3. Assign the super reader and supper reader accounts to sharepoint’s  application attributes using PowerShell
      • ll PowerShell commands needs to be preformed with elevated admin rights either with SharePoint Management Shell or .
      1. Paste the following code into a text editor, such as Notepad:
      $wa = Get-SPWebApplication -Identity "<WebApplication>"
      $wa.Properties["portalsuperuseraccount"] = "<SuperUser>"
      $wa.Properties["portalsuperreaderaccount"] = "<SuperReader>"
      $wa.Update()
      
      1. Replace the following placeholders with values:
      • <WebApplication> is the name of the web application to which the accounts will be added.
      • <SuperUser> is the account to use for the Portal Super User account as you saw it displayed in the User Name column mentioned in Step 11 of the previous procedure.
      • <SuperReader> is account to use for the Portal Super Reader account as you saw it displayed in the User Name column mentioned in Step 11 of the previous procedure.
      • !! Reset Internet Information Services (IIS).
        !! Copy paste your super reader and super user accounts from your Application User Policy  created in step 2 including the claims prefix to the PowerShell commands, sometime the account name will be truncated.
    • i:0#.w|na\sp_superreader******
    •  i:0#.w|na\sp_superuser*********
clear
Add-PSSnapin Microsoft.Sharepoint.Powershell
$wa = Get-SPWebApplication http://stage-yourdomain.com
$wa.properties

$wa.Properties["portalsuperreaderaccount"] = "i:0#.w|na\sp_superreader***"
$wa.Update()
$wa.Properties["portalsuperuseraccount"] = "i:0#.w|na\sp_superuser****"
$wa.Update()

# reset

#$wa.Properties["portalsuperuseraccount"] = "" 
#$wa.Properties["portalsuperreaderaccount"] = "" 
$wa.update() 
$wa.properties

iisreset

 

Ref :

https://docs.microsoft.com/en-us/sharepoint/administration/configure-object-cache-user-accounts

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *