11 Replies Latest reply: Dec 6, 2007 2:27 PM by Patrick Gibson
Garrett Murray Level 1 Level 1 (125 points)
I'm getting this error all the time in iCal when trying to use our shared iCal server:

Access to "Test Meeting Item" in "Meetings" in account "Our Organization" is not permitted.

The server responded:
"HTTP/1.1 403 Forbidden"
to operation CalDAVScheduleEventQueueableOperation.

This happens whenever I try to copy/paste an event from a local calendar to a shared calendar, it also happens when trying to delete an item. Sometimes it also happens when trying to just plain add one.

24-inch iMac, 8GB RAM, Mac OS X (10.5)
  • Maximilian Reiss Level 1 Level 1 (20 points)
    Is "Meetings" a wiki calendar? These have limited access rights.
  • Garrett Murray Level 1 Level 1 (125 points)
    "Meetings" is a calendar I created in iCal.

    I added the account and then added a new calendar to my account.
  • jbaty Level 1 Level 1 (0 points)
    Same problem/error here. Could someone perhaps explain "limited access rights" because it seems that the error is telling me that the group calendar that I created owned by a group I belong to is not accessible. I doubt that is actually what's wrong, but who knows!
  • Tim_McManus Level 2 Level 2 (155 points)
    Try shutting down the iCal Server and restarting it from Server Admin. Also, look at the Console logs and the Kerberos logs when you try to do this. What do the iCal Server logs say?

    I suspect this is having an issue with the security layer in OS X Server. Could be a number of things causing it.
  • jbaty Level 1 Level 1 (0 points)
    There's this in the caldavd error.log...

    [caldav-8009] [AMP,client] 'Originator: /principals/_uids_/59335D94-573D-4F60-A419-3E77C0FE28F2/ does not match authorized user: /principals/_uids_/940FEC71-435F-4204-B7D2-363F557B19D7/

    And this in the caldavd access.log...

    POST /calendars/groups/staffgroup/outbox/ HTTP/1.1" 403 135 "-" "DAVKit/2.0 (10.5.1; wrbt) iCal 3.0.1" [52.1 ms]

    Doesn't really help me, but certainly suggests permissions are in fact an issue.
  • Tim_McManus Level 2 Level 2 (155 points)
    It looks like a permissions error. Shut down the Web service and then the iCal Server. Restart the Web service and then the iCal Server.

    That might flush the cache on each service and force it to reauthenticate against the Kerberos/Password Service.

    Take a look at the Kerberos logs and the Password Server logs. You might see similar entries with matching date/times. If so, then it's a permissions error rooted in each services' inability to authenticate against the Password Service.

    Just a hunch.
  • Dr Fred Level 1 Level 1 (10 points)
    Make sure delegation is set correctly. Under the accounts section of iCal, click on the group account you have addded, select delegation and you can set who can edit the calendar(s) via iCal (click "manage access to my account"). I had the same, even though you could edit them via the wiki with no problem, and setting this solved it.
  • jbaty Level 1 Level 1 (0 points)
    Thanks for the help everyone. Unfortunately, nothing I've tried in response has fixed the problem. It's only when inviting other users that this happens. I'll keep trying!

  • Patrick Gibson Level 1 Level 1 (95 points)
    Here's what I did to get it to work:

    Add a new account in your iCal. The server URL should be something like "http://myserver.com:8008/principals/groups/groupname/". Once you've added that, go into Delegation tab, and click on the "Edit..." list. Add yourself and whoever else you want to the list. If you select your main iCal account now, you should see the shared calendar pop up under that account's Delegation tab, and check the box to show it your in iCal source list. Remove the second account you just added, as you don't need it anymore.

    You should now have a "Delegates" section in your iCal source list with this shared calendar, and you should be able to make whatever changes you need to it.

    This seems like a really round-about way to get this to work, and I can't figure out why there's not some tool on the server to properly set the permissions for calendars.

    So far, I am underwhelmed with Leopard Server. I truly expected everything to +just work+, and so far that has not been the case with a lot of stuff. I hope Apple does some proper testing of their "enterprise" product so that they can fix everything to meet the expectation of Mac administrators.

  • jbaty Level 1 Level 1 (0 points)
    Patrick I think you're on to something! I never checked the "show" button for the calendar. I was just able to invite people to the calendar listed under Delegates. I'll find out if it actually worked tomorrow.

  • Patrick Gibson Level 1 Level 1 (95 points)
    I found one problem with the Delegate calendars: you cannot sync them with your iPhone . I've instead created an iCal account for each group calendar as I described in order to set the delegates. The real bummer though is that you cannot set one of these shared calendars as the default calendar into which events created from the iPhone go. iTunes only lets you set local calendars for this. Apple really needs to make the extra effort so that business users can truly use an Apple solution for managing their lives.